GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-06 01:09:57 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002e TOSHIBA_MQ01ABD075 rev.AX001C 698,64GB Running: gmer.exe; Driver: C:\Users\HaPe\AppData\Local\Temp\uxloapow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000138200 7 bytes [40, 3B, 82, 01, 00, 53, F2] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000138208 7 bytes [01, 63, C0, FF, 00, 17, DB] ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\System32\smss.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\kernel32.dll!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\kernel32.dll!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\services.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\svchost.exe[944] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fb7891177a 4 bytes [91, 78, FB, 07] .text C:\Windows\system32\atiesrxx.exe[992] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fb78911782 4 bytes [91, 78, FB, 07] .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\dwm.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fb7891177a 4 bytes [91, 78, FB, 07] .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fb78911782 4 bytes [91, 78, FB, 07] .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\system32\WSOCK32.dll!recvfrom + 742 000007fb747f1b32 4 bytes [7F, 74, FB, 07] .text C:\Windows\system32\atieclxx.exe[1060] C:\Windows\system32\WSOCK32.dll!recvfrom + 750 000007fb747f1b3a 4 bytes [7F, 74, FB, 07] .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\System32\svchost.exe[1100] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Program Files\IDT\WDM\STacSV64.exe[1164] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\Hpservice.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\Explorer.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\Explorer.EXE[1736] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\System32\spoolsv.exe[1132] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\svchost.exe[856] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] ? C:\Windows\SYSTEM32\BsHelpCSps.dll [528] entry point in ".data" section 0000000001365055 .text C:\Windows\system32\taskhostex.exe[1676] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Program Files\Bonjour\mDNSResponder.exe[2100] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\dashost.exe[2324] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2432] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\svchost.exe[2624] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\System32\hkcmd.exe[2656] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fb7891177a 4 bytes [91, 78, FB, 07] .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fb78911782 4 bytes [91, 78, FB, 07] .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\SearchIndexer.exe[888] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[3096] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Program Files\IDT\WDM\sttray64.exe[3240] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\svchost.exe[3304] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\svchost.exe[3388] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fb7891177a 4 bytes [91, 78, FB, 07] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3448] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fb78911782 4 bytes [91, 78, FB, 07] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fb7891177a 4 bytes [91, 78, FB, 07] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3996] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fb78911782 4 bytes [91, 78, FB, 07] .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\conhost.exe[4020] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fb7892f7eb 1 byte [62] ? C:\Windows\SYSTEM32\BsHelpCSps.dll [2988] entry point in ".data" section 0000000001ec5055 ? C:\Windows\SYSTEM32\BlueSoleilCSps.dll [2988] entry point in ".rdata" section 00000000034a4085 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007fb7b212d60 5 bytes JMP 000007fb7b3d0b14 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007fb7b212dc0 5 bytes JMP 000007fb7b3d0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fb7b3d163c .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007fb7b2130e0 5 bytes JMP 000007fb7b3d1284 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fb7b3d19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007fb7b224a10 5 bytes JMP 000007fb7b3d075c .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007fb7b2431c4 5 bytes JMP 000007fb7b3d03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fb7af77510 5 bytes JMP 000007fbfafc0b14 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fb7af77550 5 bytes JMP 000007fbfafc19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fb7af775d0 5 bytes JMP 000007fbfafc075c .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fb7af77b20 5 bytes JMP 000007fbfafc1284 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fb7af9b034 5 bytes JMP 000007fbfafc03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fb7af9b2e4 5 bytes JMP 000007fbfafc163c .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fb7af9b470 5 bytes JMP 000007fbfafc0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fb7af9b6d4 5 bytes JMP 000007fbfafc1dac .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\user32.dll!UnhookWindowsHookEx 000007fb7aa22120 5 bytes JMP 000007fbfab71284 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\user32.dll!SetWindowsHookExW 000007fb7aa2bee0 5 bytes JMP 000007fbfab70ecc .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\user32.dll!UnhookWinEvent 000007fb7aa2e030 5 bytes JMP 000007fbfab7075c .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\user32.dll!SetWinEventHook 000007fb7aa32f70 5 bytes JMP 000007fbfab703a4 .text C:\Windows\system32\wbem\wmiprvse.exe[1284] C:\Windows\SYSTEM32\user32.dll!SetWindowsHookExA 000007fb7aa51850 5 bytes JMP 000007fbfab70b14 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007fb7b212d60 5 bytes JMP 000007fb7b3d0b14 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007fb7b212dc0 5 bytes JMP 000007fb7b3d0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fb7b3d163c .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007fb7b2130e0 5 bytes JMP 000007fb7b3d1284 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fb7b3d19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007fb7b224a10 5 bytes JMP 000007fb7b3d075c .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007fb7b2431c4 5 bytes JMP 000007fb7b3d03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fb7af77510 5 bytes JMP 000007fbfafc0b14 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fb7af77550 5 bytes JMP 000007fbfafc19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fb7af775d0 5 bytes JMP 000007fbfafc075c .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fb7af77b20 5 bytes JMP 000007fbfafc1284 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fb7af9b034 5 bytes JMP 000007fbfafc03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fb7af9b2e4 5 bytes JMP 000007fbfafc163c .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fb7af9b470 5 bytes JMP 000007fbfafc0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fb7af9b6d4 5 bytes JMP 000007fbfafc1dac .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\user32.dll!UnhookWindowsHookEx 000007fb7aa22120 5 bytes JMP 000007fbfab71284 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\user32.dll!SetWindowsHookExW 000007fb7aa2bee0 5 bytes JMP 000007fbfab70ecc .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\user32.dll!UnhookWinEvent 000007fb7aa2e030 5 bytes JMP 000007fbfab7075c .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\user32.dll!SetWinEventHook 000007fb7aa32f70 5 bytes JMP 000007fbfab703a4 .text C:\Windows\system32\wbem\wmiprvse.exe[1240] C:\Windows\SYSTEM32\user32.dll!SetWindowsHookExA 000007fb7aa51850 5 bytes JMP 000007fbfab70b14 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007fb7b212d60 5 bytes JMP 000007fb7b3d0b14 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007fb7b212dc0 5 bytes JMP 000007fb7b3d0ecc .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fb7b3d163c .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007fb7b2130e0 5 bytes JMP 000007fb7b3d1284 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fb7b3d19f4 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007fb7b224a10 5 bytes JMP 000007fb7b3d075c .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007fb7b2431c4 5 bytes JMP 000007fb7b3d03a4 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fb7af77510 5 bytes JMP 000007fbfafc0b14 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fb7af77550 5 bytes JMP 000007fbfafc19f4 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fb7af775d0 5 bytes JMP 000007fbfafc075c .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fb7af77b20 5 bytes JMP 000007fbfafc1284 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fb7af9b034 5 bytes JMP 000007fbfafc03a4 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fb7af9b2e4 5 bytes JMP 000007fbfafc163c .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fb7af9b470 5 bytes JMP 000007fbfafc0ecc .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fb7af9b6d4 5 bytes JMP 000007fbfafc1dac .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 000007fb7aa22120 5 bytes JMP 000007fbfab71284 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000007fb7aa2bee0 5 bytes JMP 000007fbfab70ecc .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\system32\USER32.dll!UnhookWinEvent 000007fb7aa2e030 5 bytes JMP 000007fbfab7075c .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\system32\USER32.dll!SetWinEventHook 000007fb7aa32f70 5 bytes JMP 000007fbfab703a4 .text C:\Windows\System32\RuntimeBroker.exe[4348] C:\Windows\system32\USER32.dll!SetWindowsHookExA 000007fb7aa51850 5 bytes JMP 000007fbfab70b14 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007fb7b212d60 5 bytes JMP 000007fb7b3d0b14 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007fb7b212dc0 5 bytes JMP 000007fb7b3d0ecc .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fb7b3d163c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007fb7b2130e0 5 bytes JMP 000007fb7b3d1284 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fb7b3d19f4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007fb7b224a10 5 bytes JMP 000007fb7b3d075c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007fb7b2431c4 5 bytes JMP 000007fb7b3d03a4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fb7af77510 5 bytes JMP 000007fbfafc0b14 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fb7af77550 5 bytes JMP 000007fbfafc19f4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fb7af775d0 5 bytes JMP 000007fbfafc075c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fb7af77b20 5 bytes JMP 000007fbfafc1284 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fb7af9b034 5 bytes JMP 000007fbfafc03a4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fb7af9b2e4 5 bytes JMP 000007fbfafc163c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fb7af9b470 5 bytes JMP 000007fbfafc0ecc .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fb7af9b6d4 5 bytes JMP 000007fbfafc1dac .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 000007fb7aa22120 5 bytes JMP 000007fbfab71284 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000007fb7aa2bee0 5 bytes JMP 000007fbfab70ecc .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\system32\USER32.dll!UnhookWinEvent 000007fb7aa2e030 5 bytes JMP 000007fbfab7075c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\system32\USER32.dll!SetWinEventHook 000007fb7aa32f70 5 bytes JMP 000007fbfab703a4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1920] C:\Windows\system32\USER32.dll!SetWindowsHookExA 000007fb7aa51850 5 bytes JMP 000007fbfab70b14 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007fb7b212d60 5 bytes JMP 000007fb7b3d0b14 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007fb7b212dc0 5 bytes JMP 000007fb7b3d0ecc .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fb7b3d163c .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007fb7b2130e0 5 bytes JMP 000007fb7b3d1284 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fb7b3d19f4 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007fb7b224a10 5 bytes JMP 000007fb7b3d075c .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007fb7b2431c4 5 bytes JMP 000007fb7b3d03a4 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 000007fb7aa22120 5 bytes JMP 000007fbfab71284 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000007fb7aa2bee0 5 bytes JMP 000007fbfab70ecc .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\system32\USER32.dll!UnhookWinEvent 000007fb7aa2e030 5 bytes JMP 000007fbfab7075c .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\system32\USER32.dll!SetWinEventHook 000007fb7aa32f70 5 bytes JMP 000007fbfab703a4 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\system32\USER32.dll!SetWindowsHookExA 000007fb7aa51850 5 bytes JMP 000007fbfab70b14 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fb6f911532 4 bytes [91, 6F, FB, 07] .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fb6f91153a 4 bytes [91, 6F, FB, 07] .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fb6f91165a 4 bytes [91, 6F, FB, 07] .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fb7af77510 5 bytes JMP 000007fbfafc0b14 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fb7af77550 5 bytes JMP 000007fbfafc19f4 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fb7af775d0 5 bytes JMP 000007fbfafc075c .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fb7af77b20 5 bytes JMP 000007fbfafc1284 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fb7af9b034 5 bytes JMP 000007fbfafc03a4 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fb7af9b2e4 5 bytes JMP 000007fbfafc163c .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fb7af9b470 5 bytes JMP 000007fbfafc0ecc .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4832] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fb7af9b6d4 5 bytes JMP 000007fbfafc1dac .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fbfb3e03e0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fbfb3e0400 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\AUDIODG.EXE[5144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fb7b212c90 5 bytes JMP 000007fbfb3e0460 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fb7b212ce0 5 bytes JMP 000007fbfb3e0450 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000007fb7b212d60 5 bytes JMP 000007fb7b3d0b14 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000007fb7b212dc0 5 bytes JMP 000007fb7b3d0ecc .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fb7b212e40 5 bytes JMP 000007fbfb3e0370 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fb7b212e90 5 bytes JMP 000007fbfb3e0470 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fb7b212ea0 5 bytes JMP 000007fb7b3d163c .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fb7b212f50 5 bytes JMP 000007fbfb3e0320 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fb7b212f80 5 bytes JMP 000007fbfb3e03b0 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fb7b212fa0 5 bytes JMP 000007fbfb3e0390 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fb7b212fe0 5 bytes JMP 000007fbfb3e02e0 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fb7b213060 5 bytes JMP 000007fbfb3e02d0 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fb7b213080 1 byte JMP 000007fbfb3e0310 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 000007fb7b213082 3 bytes {JMP 0xffffffff801cd290} .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fb7b2130c0 5 bytes JMP 000007fbfb3e03c0 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000007fb7b2130e0 5 bytes JMP 000007fb7b3d1284 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fb7b213110 5 bytes JMP 000007fbfb3e03f0 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fb7b213281 5 bytes JMP 000007fbfb3e0230 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fb7b213471 5 bytes JMP 000007fbfb3e0480 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fb7b2134a1 5 bytes JMP 000007fbfb3e03a0 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fb7b2135b1 5 bytes JMP 000007fbfb3e02f0 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fb7b2135d1 5 bytes JMP 000007fbfb3e0350 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fb7b213641 5 bytes JMP 000007fbfb3e0290 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fb7b2136d1 5 bytes JMP 000007fbfb3e02b0 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fb7b2136f1 5 bytes JMP 000007fbfb3e03d0 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fb7b213701 5 bytes JMP 000007fbfb3e0330 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fb7b2137a1 5 bytes JMP 000007fbfb3e0410 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fb7b2137d1 5 bytes JMP 000007fbfb3e0240 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fb7b213ae1 5 bytes JMP 000007fbfb3e01e0 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fb7b213ba1 5 bytes JMP 000007fbfb3e0250 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fb7b213bd1 5 bytes JMP 000007fbfb3e0490 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fb7b213be1 5 bytes JMP 000007fbfb3e04a0 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fb7b213c11 5 bytes JMP 000007fbfb3e0300 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fb7b213c21 5 bytes JMP 000007fbfb3e0360 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fb7b213c81 5 bytes JMP 000007fbfb3e02a0 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fb7b213cd1 5 bytes JMP 000007fbfb3e02c0 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fb7b213d01 5 bytes JMP 000007fbfb3e0380 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fb7b213d11 5 bytes JMP 000007fbfb3e0340 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fb7b214021 5 bytes JMP 000007fbfb3e0440 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fb7b214221 5 bytes JMP 000007fbfb3e0260 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fb7b214231 5 bytes JMP 000007fbfb3e0270 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fb7b214251 5 bytes JMP 000007fb7b3d19f4 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fb7b214431 5 bytes JMP 000007fbfb3e01f0 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fb7b214441 5 bytes JMP 000007fbfb3e0210 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fb7b2144b1 5 bytes JMP 000007fbfb3e0200 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fb7b214521 5 bytes JMP 000007fbfb3e0420 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fb7b214531 5 bytes JMP 000007fbfb3e0430 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fb7b214541 5 bytes JMP 000007fbfb3e0220 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fb7b214651 5 bytes JMP 000007fbfb3e0280 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 000007fb7b224a10 5 bytes JMP 000007fb7b3d075c .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 000007fb7b2431c4 5 bytes JMP 000007fb7b3d03a4 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 000007fb7aa22120 5 bytes JMP 000007fbfab71284 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000007fb7aa2bee0 5 bytes JMP 000007fbfab70ecc .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\system32\USER32.dll!UnhookWinEvent 000007fb7aa2e030 5 bytes JMP 000007fbfab7075c .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\system32\USER32.dll!SetWinEventHook 000007fb7aa32f70 5 bytes JMP 000007fbfab703a4 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\system32\USER32.dll!SetWindowsHookExA 000007fb7aa51850 5 bytes JMP 000007fbfab70b14 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fb7af77510 5 bytes JMP 000007fbfafc0b14 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fb7af77550 5 bytes JMP 000007fbfafc19f4 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fb7af775d0 5 bytes JMP 000007fbfafc075c .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fb7af77b20 5 bytes JMP 000007fbfafc1284 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fb7af9b034 5 bytes JMP 000007fbfafc03a4 .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fb7af9b2e4 5 bytes JMP 000007fbfafc163c .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fb7af9b470 5 bytes JMP 000007fbfafc0ecc .text C:\Windows\system32\NOTEPAD.EXE[6808] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fb7af9b6d4 5 bytes JMP 000007fbfafc1dac ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [648:672] fffff960008c45e8 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----