GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-17 16:54:31 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002a Hitachi_HTS545050A7E380 rev.GG2OA7A0 465,76GB Running: gmer.exe; Driver: C:\Users\USER\AppData\Local\Temp\uwlyypoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\kernel32.dll!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\csrss.exe[644] C:\Windows\SYSTEM32\kernel32.dll!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\wininit.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\wininit.exe[652] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\services.exe[736] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\lsass.exe[744] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\svchost.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\svchost.exe[844] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fe8b38177a 4 bytes [38, 8B, FE, 07] .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fe8b381782 4 bytes [38, 8B, FE, 07] .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\svchost.exe[468] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\dwm.exe[168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\dwm.exe[168] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\svchost.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\svchost.exe[568] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\System32\svchost.exe[908] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\Hpservice.exe[1292] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\svchost.exe[1360] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fe8b38177a 4 bytes [38, 8B, FE, 07] .text C:\Windows\System32\spoolsv.exe[1940] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fe8b381782 4 bytes [38, 8B, FE, 07] .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\svchost.exe[1320] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Program Files\Bonjour\mDNSResponder.exe[1568] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\dashost.exe[2104] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2116] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\svchost.exe[2216] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe[2508] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\svchost.exe[2728] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\wbem\wmiprvse.exe[3036] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fe8b38177a 4 bytes [38, 8B, FE, 07] .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fe8b381782 4 bytes [38, 8B, FE, 07] .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\system32\WSOCK32.dll!recvfrom + 742 000007fe87651b32 4 bytes [65, 87, FE, 07] .text C:\Windows\system32\atieclxx.exe[2352] C:\Windows\system32\WSOCK32.dll!recvfrom + 750 000007fe87651b3a 4 bytes [65, 87, FE, 07] .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\taskhostex.exe[3368] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\SearchIndexer.exe[3932] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\System32\hkcmd.exe[3280] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\System32\igfxpers.exe[3260] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\System32\igfxpers.exe[3260] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fe8b38177a 4 bytes [38, 8B, FE, 07] .text C:\Windows\System32\igfxpers.exe[3260] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fe8b381782 4 bytes [38, 8B, FE, 07] .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Program Files\IDT\WDM\sttray64.exe[3732] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] ? C:\Windows\SYSTEM32\BsHelpCSps.dll [3792] entry point in ".data" section 0000000003035055 ? C:\Windows\SYSTEM32\BlueSoleilCSps.dll [3484] entry point in ".rdata" section 0000000010004085 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\wbem\wmiprvse.exe[3564] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\system32\wbem\unsecapp.exe[4212] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[4740] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fe7ff61532 4 bytes [F6, 7F, FE, 07] .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fe7ff6153a 4 bytes [F6, 7F, FE, 07] .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4836] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fe7ff6165a 4 bytes [F6, 7F, FE, 07] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4708] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000007fe8c4e2bc0 5 bytes JMP 000007ff0c6b0460 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000007fe8c4e2c10 5 bytes JMP 000007ff0c6b0450 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000007fe8c4e2d70 5 bytes JMP 000007ff0c6b0370 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000007fe8c4e2dc0 5 bytes JMP 000007ff0c6b0470 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000007fe8c4e2dd0 5 bytes JMP 000007ff0c6b03e0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000007fe8c4e2e80 5 bytes JMP 000007ff0c6b0320 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007fe8c4e2eb0 5 bytes JMP 000007ff0c6b03b0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000007fe8c4e2ed0 5 bytes JMP 000007ff0c6b0390 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000007fe8c4e2f10 5 bytes JMP 000007ff0c6b02e0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007fe8c4e2f90 5 bytes JMP 000007ff0c6b02d0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000007fe8c4e2fb0 5 bytes JMP 000007ff0c6b0310 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000007fe8c4e2ff0 5 bytes JMP 000007ff0c6b03c0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000007fe8c4e3040 5 bytes JMP 000007ff0c6b03f0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000007fe8c4e31b1 5 bytes JMP 000007ff0c6b0230 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000007fe8c4e33a1 5 bytes JMP 000007ff0c6b0480 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000007fe8c4e33d1 5 bytes JMP 000007ff0c6b03a0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000007fe8c4e34e1 5 bytes JMP 000007ff0c6b02f0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000007fe8c4e3501 5 bytes JMP 000007ff0c6b0350 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007fe8c4e3571 5 bytes JMP 000007ff0c6b0290 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007fe8c4e3601 5 bytes JMP 000007ff0c6b02b0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000007fe8c4e3621 5 bytes JMP 000007ff0c6b03d0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000007fe8c4e3631 5 bytes JMP 000007ff0c6b0330 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000007fe8c4e36d1 5 bytes JMP 000007ff0c6b0410 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000007fe8c4e3701 5 bytes JMP 000007ff0c6b0240 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000007fe8c4e3a11 5 bytes JMP 000007ff0c6b01e0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000007fe8c4e3ad1 5 bytes JMP 000007ff0c6b0250 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000007fe8c4e3b01 5 bytes JMP 000007ff0c6b0490 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000007fe8c4e3b11 5 bytes JMP 000007ff0c6b04a0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000007fe8c4e3b41 5 bytes JMP 000007ff0c6b0300 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000007fe8c4e3b51 5 bytes JMP 000007ff0c6b0360 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000007fe8c4e3bb1 5 bytes JMP 000007ff0c6b02a0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000007fe8c4e3c01 5 bytes JMP 000007ff0c6b02c0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000007fe8c4e3c31 5 bytes JMP 000007ff0c6b0380 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000007fe8c4e3c41 5 bytes JMP 000007ff0c6b0340 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000007fe8c4e3f51 5 bytes JMP 000007ff0c6b0440 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000007fe8c4e4151 5 bytes JMP 000007ff0c6b0260 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000007fe8c4e4161 5 bytes JMP 000007ff0c6b0270 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000007fe8c4e4181 5 bytes JMP 000007ff0c6b0400 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000007fe8c4e4361 5 bytes JMP 000007ff0c6b01f0 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000007fe8c4e4371 5 bytes JMP 000007ff0c6b0210 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000007fe8c4e43e1 5 bytes JMP 000007ff0c6b0200 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000007fe8c4e4451 5 bytes JMP 000007ff0c6b0420 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000007fe8c4e4461 5 bytes JMP 000007ff0c6b0430 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000007fe8c4e4471 5 bytes JMP 000007ff0c6b0220 .text C:\Windows\explorer.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000007fe8c4e4581 5 bytes JMP 000007ff0c6b0280 .text C:\Windows\explorer.exe[3916] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[4460] C:\Windows\SYSTEM32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fe8c3af817 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [644:660] fffff9600083d5e8 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\IePluginServices\PluginService.exe (*** suspicious ***) @ C:\ProgramData\IePluginServices\PluginService.exe [1560] (IePlugin Service/Cherished Technololgy LIMITED)(2014-08-06 20:59:14) 0000000001370000 Library C:\Users\USER\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\explorer.exe [3916] (GG drive menu/GG Network S.A.)(2014- 000000005ff80000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----