GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-19 17:28:31 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000035 ST1000LM024_HN-M101MBB rev.2AR10002 931,51GB Running: m57g1hli.exe; Driver: C:\Users\Czesiu\AppData\Local\Temp\aftoqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\csrss.exe[492] C:\windows\SYSTEM32\kernel32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\wininit.exe[556] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\services.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\services.exe[656] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\lsass.exe[664] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\svchost.exe[768] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\nvvsvc.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\svchost.exe[876] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\System32\svchost.exe[936] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\System32\svchost.exe[936] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\svchost.exe[964] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\svchost.exe[964] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\System32\svchost.exe[652] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\System32\svchost.exe[652] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\System32\spoolsv.exe[1684] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\svchost.exe[1712] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\svchost.exe[1712] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\system32\MSIMG32.dll!GradientFill + 690 000007f8601b1532 4 bytes [1B, 60, F8, 07] .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\system32\MSIMG32.dll!GradientFill + 698 000007f8601b153a 4 bytes [1B, 60, F8, 07] .text C:\windows\system32\BtwRSupportService.exe[1588] C:\windows\system32\MSIMG32.dll!TransparentBlt + 246 000007f8601b165a 4 bytes [1B, 60, F8, 07] .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1728] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\CxAudMsg64.exe[2080] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\dashost.exe[2144] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\dashost.exe[2144] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\conhost.exe[2224] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\conhost.exe[2224] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2324] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f8feb00b14 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f8feb00ecc .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8feb0163c .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f8feb01284 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8feb019f4 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f8feb0075c .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f8feb003a4 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe[2744] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\user32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\user32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\user32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\user32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\windows\system32\svchost.exe[2944] C:\windows\SYSTEM32\user32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\windows\system32\svchost.exe[2968] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\windows\system32\svchost.exe[2968] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\windows\system32\svchost.exe[2968] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\windows\system32\svchost.exe[2968] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\windows\system32\svchost.exe[2968] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\windows\system32\svchost.exe[2968] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f8f6ff0b14 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f8f6ff0ecc .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8f6ff163c .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f8f6ff1284 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8f6ff19f4 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f8f6ff075c .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f8f6ff03a4 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\windows\system32\SearchIndexer.exe[3568] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\windows\system32\svchost.exe[3792] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\windows\system32\svchost.exe[3792] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\windows\system32\svchost.exe[3792] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\windows\system32\svchost.exe[3792] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\windows\system32\svchost.exe[3792] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\windows\system32\svchost.exe[3792] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\windows\system32\svchost.exe[3792] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\Windows\System32\WUDFHost.exe[3060] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\csrss.exe[4496] C:\windows\SYSTEM32\kernel32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\windows\System32\WinLogon.exe[3708] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\windows\System32\WinLogon.exe[3708] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\windows\System32\WinLogon.exe[3708] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\windows\System32\dwm.exe[4488] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\System32\dwm.exe[4488] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\windows\System32\dwm.exe[4488] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\windows\System32\dwm.exe[4488] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\windows\System32\dwm.exe[4488] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\windows\System32\dwm.exe[4488] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\windows\System32\dwm.exe[4488] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\windows\system32\conhost.exe[4424] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\windows\system32\conhost.exe[4424] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\conhost.exe[4424] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\windows\system32\conhost.exe[4424] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\windows\system32\conhost.exe[4424] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\windows\system32\conhost.exe[4424] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\windows\system32\conhost.exe[4424] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8601b1532 4 bytes [1B, 60, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8601b153a 4 bytes [1B, 60, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4540] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8601b165a 4 bytes [1B, 60, F8, 07] .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f8e6a10b14 .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f8e6a10ecc .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a1163c .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f8e6a11284 .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a119f4 .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f8e6a1075c .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f8e6a103a4 .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\system32\MSIMG32.dll!GradientFill + 690 000007f8601b1532 4 bytes [1B, 60, F8, 07] .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\system32\MSIMG32.dll!GradientFill + 698 000007f8601b153a 4 bytes [1B, 60, F8, 07] .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\system32\MSIMG32.dll!TransparentBlt + 246 000007f8601b165a 4 bytes [1B, 60, F8, 07] .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f86553177a 4 bytes [53, 65, F8, 07] .text C:\windows\system32\nvvsvc.exe[3308] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f865531782 4 bytes [53, 65, F8, 07] .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\user32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\user32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\user32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\user32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\windows\system32\taskhostex.exe[2704] C:\windows\SYSTEM32\user32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\windows\Explorer.EXE[1116] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\windows\Explorer.EXE[1116] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\windows\Explorer.EXE[1116] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\windows\Explorer.EXE[1116] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\windows\Explorer.EXE[1116] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\windows\Explorer.EXE[1116] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\windows\Explorer.EXE[1116] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8601b1532 4 bytes [1B, 60, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8601b153a 4 bytes [1B, 60, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8601b165a 4 bytes [1B, 60, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f8e6a10b14 .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f8e6a10ecc .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a1163c .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f8e6a11284 .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a119f4 .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f8e6a1075c .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f8e6a103a4 .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\Windows\System32\hkcmd.exe[1204] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f8e6a10b14 .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f8e6a10ecc .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a1163c .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f8e6a11284 .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a119f4 .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f8e6a1075c .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f8e6a103a4 .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f86553177a 4 bytes [53, 65, F8, 07] .text C:\Windows\System32\igfxpers.exe[4836] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f865531782 4 bytes [53, 65, F8, 07] .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8601b1532 4 bytes [1B, 60, F8, 07] .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8601b153a 4 bytes [1B, 60, F8, 07] .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8601b165a 4 bytes [1B, 60, F8, 07] .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\Program Files\Elantech\ETDCtrl.exe[4924] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8601b1532 4 bytes [1B, 60, F8, 07] .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8601b153a 4 bytes [1B, 60, F8, 07] .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8601b165a 4 bytes [1B, 60, F8, 07] .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4088] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f8e6a10b14 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f8e6a10ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a1163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f8e6a11284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a119f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f8e6a1075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f8e6a103a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8601b1532 4 bytes [1B, 60, F8, 07] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8601b153a 4 bytes [1B, 60, F8, 07] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8601b165a 4 bytes [1B, 60, F8, 07] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4792] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4740] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f8e6a10b14 .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f8e6a10ecc .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a1163c .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f8e6a11284 .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a119f4 .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f8e6a1075c .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f8e6a103a4 .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8601b1532 4 bytes [1B, 60, F8, 07] .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8601b153a 4 bytes [1B, 60, F8, 07] .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8601b165a 4 bytes [1B, 60, F8, 07] .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\Program Files\Elantech\ETDIntelligent.exe[1152] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007f86648f7eb 1 byte [62] .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe[4116] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\windows\System32\svchost.exe[1196] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\windows\System32\svchost.exe[1196] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\windows\System32\svchost.exe[1196] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\windows\System32\svchost.exe[1196] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\windows\System32\svchost.exe[1196] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\windows\System32\svchost.exe[1196] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\windows\System32\svchost.exe[1196] c:\windows\system32\WSOCK32.dll!recvfrom + 742 000007f85af71b32 4 bytes [F7, 5A, F8, 07] .text C:\windows\System32\svchost.exe[1196] c:\windows\system32\WSOCK32.dll!recvfrom + 750 000007f85af71b3a 4 bytes [F7, 5A, F8, 07] .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f8e6a103e0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f8e6a10400 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\AUDIODG.EXE[4712] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\user32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\user32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\user32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\user32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\windows\system32\wbem\wmiprvse.exe[3988] C:\windows\SYSTEM32\user32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\windows\system32\WLANExt.exe[2660] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\windows\system32\WLANExt.exe[2660] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007f865407510 5 bytes JMP 000007f8e5450b14 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007f865407550 5 bytes JMP 000007f8e54519f4 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007f8654075d0 5 bytes JMP 000007f8e545075c .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007f865407b20 5 bytes JMP 000007f8e5451284 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007f86542b034 5 bytes JMP 000007f8e54503a4 .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007f86542b2e4 5 bytes JMP 000007f8e545163c .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007f86542b470 5 bytes JMP 000007f8e5450ecc .text C:\windows\system32\WLANExt.exe[2660] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007f86542b6d4 5 bytes JMP 000007f8e5451dac .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007f866842c90 5 bytes JMP 000007f8e6a10460 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000007f866842ce0 5 bytes JMP 000007f8e6a10450 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007f866842d60 5 bytes JMP 000007f866a00b14 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007f866842dc0 5 bytes JMP 000007f866a00ecc .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007f866842e40 5 bytes JMP 000007f8e6a10370 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007f866842e90 5 bytes JMP 000007f8e6a10470 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007f866842ea0 5 bytes JMP 000007f866a0163c .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000007f866842f50 5 bytes JMP 000007f8e6a10320 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f866842f80 5 bytes JMP 000007f8e6a103b0 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007f866842fa0 5 bytes JMP 000007f8e6a10390 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007f866842fe0 5 bytes JMP 000007f8e6a102e0 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f866843060 5 bytes JMP 000007f8e6a102d0 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000007f866843080 1 byte JMP 000007f8e6a10310 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007f866843082 3 bytes {JMP 0xffffffff801cd290} .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000007f8668430c0 5 bytes JMP 000007f8e6a103c0 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007f8668430e0 5 bytes JMP 000007f866a01284 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007f866843110 5 bytes JMP 000007f8e6a103f0 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007f866843281 5 bytes JMP 000007f8e6a10230 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007f866843471 5 bytes JMP 000007f8e6a10480 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007f8668434a1 5 bytes JMP 000007f8e6a103a0 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007f8668435b1 5 bytes JMP 000007f8e6a102f0 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007f8668435d1 5 bytes JMP 000007f8e6a10350 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f866843641 5 bytes JMP 000007f8e6a10290 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8668436d1 5 bytes JMP 000007f8e6a102b0 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007f8668436f1 5 bytes JMP 000007f8e6a103d0 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007f866843701 5 bytes JMP 000007f8e6a10330 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007f8668437a1 5 bytes JMP 000007f8e6a10410 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007f8668437d1 5 bytes JMP 000007f8e6a10240 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007f866843ae1 5 bytes JMP 000007f8e6a101e0 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007f866843ba1 5 bytes JMP 000007f8e6a10250 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007f866843bd1 5 bytes JMP 000007f8e6a10490 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007f866843be1 5 bytes JMP 000007f8e6a104a0 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007f866843c11 5 bytes JMP 000007f8e6a10300 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007f866843c21 5 bytes JMP 000007f8e6a10360 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007f866843c81 5 bytes JMP 000007f8e6a102a0 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007f866843cd1 5 bytes JMP 000007f8e6a102c0 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000007f866843d01 5 bytes JMP 000007f8e6a10380 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007f866843d11 5 bytes JMP 000007f8e6a10340 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007f866844021 5 bytes JMP 000007f8e6a10440 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007f866844221 5 bytes JMP 000007f8e6a10260 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007f866844231 5 bytes JMP 000007f8e6a10270 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007f866844251 5 bytes JMP 000007f866a019f4 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007f866844431 5 bytes JMP 000007f8e6a101f0 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007f866844441 5 bytes JMP 000007f8e6a10210 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007f8668444b1 5 bytes JMP 000007f8e6a10200 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007f866844521 5 bytes JMP 000007f8e6a10420 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007f866844531 5 bytes JMP 000007f8e6a10430 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007f866844541 5 bytes JMP 000007f8e6a10220 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000007f866844651 5 bytes JMP 000007f8e6a10280 .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007f866854a10 5 bytes JMP 000007f866a0075c .text C:\windows\system32\conhost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007f8668731c4 5 bytes JMP 000007f866a003a4 .text C:\windows\system32\conhost.exe[1808] C:\windows\system32\USER32.dll!UnhookWindowsHookEx 000007f865b42120 5 bytes JMP 000007f8e5c91284 .text C:\windows\system32\conhost.exe[1808] C:\windows\system32\USER32.dll!SetWindowsHookExW 000007f865b4bee0 5 bytes JMP 000007f8e5c90ecc .text C:\windows\system32\conhost.exe[1808] C:\windows\system32\USER32.dll!UnhookWinEvent 000007f865b4e030 5 bytes JMP 000007f8e5c9075c .text C:\windows\system32\conhost.exe[1808] C:\windows\system32\USER32.dll!SetWinEventHook 000007f865b52f70 5 bytes JMP 000007f8e5c903a4 .text C:\windows\system32\conhost.exe[1808] C:\windows\system32\USER32.dll!SetWindowsHookExA 000007f865b71850 5 bytes JMP 000007f8e5c90b14 ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\svchost.exe [964:3628] 000007f8589210f0 Thread C:\windows\system32\svchost.exe [964:4888] 000007f85cfd16b0 Thread C:\windows\system32\svchost.exe [964:2312] 000007f85ac95c38 Thread C:\windows\system32\csrss.exe [4496:4140] fffff960009bd5e8 Thread C:\windows\SYSTEM32\ntdll.dll [3388:4992] 00000000004022cd Thread C:\windows\SYSTEM32\ntdll.dll [3788:3240] 0000000000b08632 Thread C:\windows\SYSTEM32\ntdll.dll [3788:3068] 00000000008efb50 Thread C:\windows\SYSTEM32\ntdll.dll [3788:2860] 00000000008efbd0 Thread C:\windows\SYSTEM32\ntdll.dll [3788:3300] 00000000008f0200 Thread C:\windows\SYSTEM32\ntdll.dll [3788:3268] 00000000008f0200 Thread C:\windows\SYSTEM32\ntdll.dll [3788:1396] 00000000008f0200 Thread C:\windows\SYSTEM32\ntdll.dll [3788:4156] 0000000000842980 Thread C:\windows\SYSTEM32\ntdll.dll [3788:4696] 000000000084e250 Thread C:\windows\SYSTEM32\ntdll.dll [3788:756] 00000000008f4c50 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----