• Ogłoszenie:

Strony bardzo powoli się otwierają, kilka procesów firefox

Bezpieczeństwo systemów, usuwanie wirusów, dobieranie programów antywirusowych. Obowiązkowe logi w tym dziale: trzy z FRST + Gmer.

Strony bardzo powoli się otwierają, kilka procesów firefox

Postprzez tenzin 17 Maj 2022, 10:06

reklama
Cześć,

otwieram jedno okno, jedną kartę firefox, a w menedżerze pojawia się ok. 5 procesów firefox.
Strony bardzo powoli się otwierają.

Ściągnałem First wersję 64, ale nie działa. Wklejam informację, która pojawia się po uruchomieniu tego programu.

Wklejam wycinek dot. performance systemu oraz dane dot. systemu i log z gmera.
Nie mogłem załączyć logu w formie pliku (najpierw nie akcpetował rozszerzenia log, a jak zmieniłem na txt to napisał, że plik jest za duży.

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2022-05-17 09:30:11
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 IRP_SSDPR_S25B_240 rev.SAFM02.3 223,57GB
Running: gmer.exe; Driver: C:\Users\pawelg\AppData\Local\Temp\pwdiapow.sys


---- User code sections - GMER 2.2 ----

.text C:\Program Files\Bitdefender\Bitdefender Security\bdservicehost.exe[960] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 00000000778fbaa1 11 bytes [B8, F0, 12, A6, 01, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30c27
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30f57
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30fbd
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30bf4
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30c8d
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30dbf
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30cf3
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!K32EnumProcessModules 00000000778b4410 12 bytes JMP 0000000077c30a8f
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30df2
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c31089
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 0000000077c30ac2
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30ebe
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 0000000077c30a5c
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!K32GetModuleBaseNameW 00000000778d97a0 5 bytes JMP 0000000077c309f6
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778d9870 5 bytes JMP 0000000077c30a29
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!GetApplicationRestartSettings + 1 00000000778df641 4 bytes {JMP 0x3514b5}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!GetApplicationRecoveryCallback 00000000778df650 7 bytes JMP 0000000077c309c3
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c310ef
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\RPCRT4.dll!RpcBindingSetObject 000007fefe13e4b0 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\SSPICLI.DLL!GetUserNameExW 000007fefd591118 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\SSPICLI.DLL!GetUserNameExA 000007fefd591640 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\SSPICLI.DLL!LsaCallAuthenticationPackage 000007fefd5955b8 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\SSPICLI.DLL!EnumerateSecurityPackagesW 000007fefd597358 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\SSPICLI.DLL!EnumerateSecurityPackagesA 000007fefd5a57c0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007fefebf0363
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 9 bytes JMP 000007fefebf0330
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 8 bytes JMP 000007fefebf0231
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007fefebf03fc
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 7 bytes JMP 000007fefebf00cc
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeafe514 5 bytes JMP 000007fefebf05c7
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 8 bytes JMP 000007fefebf0264
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007fefebf03c9
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 9 bytes JMP 000007fefebf0297
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007fefebf0396
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefeb09d6c 5 bytes JMP 000007fefebf0594
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb0a830 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 7 bytes JMP 000007fefebf0198
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefeb14a50 5 bytes JMP 000007fefebf0000
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 11 bytes JMP 000007fefebf02fd
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 9 bytes JMP 000007fefebf02ca
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 7 bytes JMP 000007fefebf0165
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 000007fefeb2a5e9 4 bytes {JMP 0xc5a7e}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 000007fefeb2a5f5 4 bytes {JMP 0xc5a3f}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb2a600 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 14 000007fefeb2a60e 1 byte INT3
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb2a66c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 14 000007fefeb2a67a 1 byte INT3
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007fefebf0561
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007fefebf052e
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 7 bytes JMP 000007fefebf0099
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007fefebf0462
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007fefebf05fa
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007fefebf042f
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007fefebf0495
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007fefebf04c8
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007fefebf04fb
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 7 bytes JMP 000007fefebf01fe
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 7 bytes JMP 000007fefebf01cb
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 7 bytes JMP 000007fefebf0132
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 7 bytes JMP 000007fefebf00ff
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextW 000007fefccc3b98 7 bytes JMP 000007fefebf0693
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextA 000007fefccc3ca8 5 bytes JMP 000007fefebf0660
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\CRYPTSP.dll!CryptExportKey 000007fefccc55ac 7 bytes JMP 000007fefebf06f9
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\CRYPTSP.dll!CryptImportKey 000007fefccc56fc 7 bytes JMP 000007fefebf0792
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\CRYPTSP.dll!CryptCreateHash 000007fefccc5be4 7 bytes JMP 000007fefebf06c6
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\CRYPTSP.dll!CryptHashData 000007fefccc5f80 7 bytes JMP 000007fefebf075f
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\CRYPTSP.dll!CryptGetHashParam 000007fefccc698c 7 bytes JMP 000007fefebf072c
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe9e13b0 5 bytes JMP 000007fefebf08c4
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe9e18e0 5 bytes JMP 000007fefebf095d
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\WS2_32.dll!WSASocketW 000007fefe9e1bd0 5 bytes JMP 000007fefebf092a
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\WS2_32.dll!WSASocketA 000007fefe9e2010 11 bytes JMP 000007fefebf08f7
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe9e23c0 5 bytes JMP 000007fefebf082b
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\WS2_32.dll!connect 000007fefe9e45c0 5 bytes JMP 000007fefebf0990
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\WS2_32.dll!send 000007fefe9e8000 5 bytes JMP 000007fefebf09f6
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe9e8df0 9 bytes JMP 000007fefebf09c3
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe9ec090 5 bytes JMP 000007fefebf07f8
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\WS2_32.dll!WSAIoctl 000007fefe9ed620 5 bytes JMP 000007fefebf0891
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\WS2_32.dll!sendto 000007fefe9ed7f0 7 bytes JMP 000007fefebf0a29
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\WS2_32.dll!socket 000007fefe9ede90 5 bytes JMP 000007fefebf0a5c
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefea0e0f0 7 bytes JMP 000007fefebf085e
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 5 bytes JMP 000007fefebf0b8e
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 6 bytes JMP 000007fefebf0b28
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 5 bytes JMP 000007fefebf0af5
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 5 bytes JMP 000007fefebf0b5b
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 9 bytes JMP 000007fefebf0bf4
.text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 9 bytes JMP 000007fefebf0bc1
.text C:\Program Files\Bitdefender\Bitdefender Security\bdservicehost.exe[1652] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 00000000778fbaa1 11 bytes [B8, F0, 12, 55, 01, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30c27
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30f57
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30fbd
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30bf4
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30c8d
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30dbf
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30cf3
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!K32EnumProcessModules 00000000778b4410 12 bytes JMP 0000000077c30a8f
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30df2
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c31089
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 0000000077c30ac2
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30ebe
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 0000000077c30a5c
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!K32GetModuleBaseNameW 00000000778d97a0 5 bytes JMP 0000000077c309f6
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778d9870 5 bytes JMP 0000000077c30a29
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!GetApplicationRestartSettings + 1 00000000778df641 4 bytes {JMP 0x3514b5}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!GetApplicationRecoveryCallback 00000000778df650 7 bytes JMP 0000000077c309c3
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c310ef
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\RPCRT4.dll!RpcBindingSetObject 000007fefe13e4b0 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe756d10 11 bytes JMP 000007fefec2075f
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe7624f8 5 bytes JMP 000007fefec20792
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ole32.dll!CoGetObject 000007fefe893900 5 bytes JMP 000007fefec207c5
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 5 bytes JMP 000007fefec206c6
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 6 bytes JMP 000007fefec20660
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 5 bytes JMP 000007fefec2062d
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 5 bytes JMP 000007fefec20693
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 9 bytes JMP 000007fefec2072c
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 9 bytes JMP 000007fefec206f9
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007fefec20363
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 9 bytes JMP 000007fefec20330
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 8 bytes JMP 000007fefec20231
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007fefec203fc
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 7 bytes JMP 000007fefec200cc
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeafe514 5 bytes JMP 000007fefec205c7
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 8 bytes JMP 000007fefec20264
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007fefec203c9
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 9 bytes JMP 000007fefec20297
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007fefec20396
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefeb09d6c 5 bytes JMP 000007fefec20594
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb0a830 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 7 bytes JMP 000007fefec20198
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefeb14a50 5 bytes JMP 000007fefec20000
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 11 bytes JMP 000007fefec202fd
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 9 bytes JMP 000007fefec202ca
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 7 bytes JMP 000007fefec20165
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 000007fefeb2a5e9 4 bytes {JMP 0xf5a7e}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 000007fefeb2a5f5 4 bytes {JMP 0xf5a3f}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb2a600 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 14 000007fefeb2a60e 1 byte INT3
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb2a66c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 14 000007fefeb2a67a 1 byte INT3
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007fefec20561
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007fefec2052e
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 7 bytes JMP 000007fefec20099
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007fefec20462
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007fefec205fa
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007fefec2042f
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007fefec20495
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007fefec204c8
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007fefec204fb
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 7 bytes JMP 000007fefec201fe
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 7 bytes JMP 000007fefec201cb
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 7 bytes JMP 000007fefec20132
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 7 bytes JMP 000007fefec200ff
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\System32\SSPICLI.DLL!GetUserNameExW 000007fefd591118 7 bytes JMP 000007fefec208f7
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\System32\SSPICLI.DLL!GetUserNameExA 000007fefd591640 7 bytes JMP 000007fefec208c4
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\System32\SSPICLI.DLL!LsaCallAuthenticationPackage 000007fefd5955b8 5 bytes JMP 000007fefec2092a
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\System32\SSPICLI.DLL!EnumerateSecurityPackagesW 000007fefd597358 5 bytes JMP 000007fefec20891
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\System32\SSPICLI.DLL!EnumerateSecurityPackagesA 000007fefd5a57c0 5 bytes JMP 000007fefec2085e
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe9e13b0 5 bytes JMP 000007fefec20bf4
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe9e18e0 5 bytes JMP 000007fefec20c8d
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!WSASocketW 000007fefe9e1bd0 5 bytes JMP 000007fefec20c5a
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!WSASocketA 000007fefe9e2010 11 bytes JMP 000007fefec20c27
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe9e23c0 5 bytes JMP 000007fefec20b5b
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!connect 000007fefe9e45c0 5 bytes JMP 000007fefec20cc0
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!send 000007fefe9e8000 5 bytes JMP 000007fefec20d26
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe9e8df0 9 bytes JMP 000007fefec20cf3
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe9ec090 5 bytes JMP 000007fefec20b28
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!WSAIoctl 000007fefe9ed620 5 bytes JMP 000007fefec20bc1
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!sendto 000007fefe9ed7f0 7 bytes JMP 000007fefec20d59
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!socket 000007fefe9ede90 5 bytes JMP 000007fefec20d8c
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefea0e0f0 7 bytes JMP 000007fefec20b8e
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\System32\CRYPTSP.dll!CryptAcquireContextW 000007fefccc3b98 7 bytes JMP 000007fefec20e8b
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\System32\CRYPTSP.dll!CryptAcquireContextA 000007fefccc3ca8 5 bytes JMP 000007fefec20e58
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\System32\CRYPTSP.dll!CryptExportKey 000007fefccc55ac 7 bytes JMP 000007fefec20ef1
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\System32\CRYPTSP.dll!CryptImportKey 000007fefccc56fc 7 bytes JMP 000007fefec20f8a
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\System32\CRYPTSP.dll!CryptCreateHash 000007fefccc5be4 7 bytes JMP 000007fefec20ebe
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\System32\CRYPTSP.dll!CryptHashData 000007fefccc5f80 7 bytes JMP 000007fefec20f57
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\System32\CRYPTSP.dll!CryptGetHashParam 000007fefccc698c 7 bytes JMP 000007fefec20f24
.text C:\Windows\System32\svchost.exe[1716] c:\windows\system32\IPHLPAPI.DLL!GetAdaptersAddresses 000007fefa2b2aa4 5 bytes JMP 000007fefec20ff0
.text C:\Windows\System32\svchost.exe[1716] c:\windows\system32\IPHLPAPI.DLL!GetAdaptersInfo 000007fefa2b792c 5 bytes JMP 000007fefec21023
.text C:\Windows\System32\svchost.exe[1716] c:\windows\system32\IPHLPAPI.DLL!ResolveIpNetEntry2 000007fefa2b8d44 7 bytes JMP 000007fefec210bc
.text C:\Windows\System32\svchost.exe[1716] c:\windows\system32\IPHLPAPI.DLL!GetIpNetTable 000007fefa2be51c 7 bytes JMP 000007fefec21056
.text C:\Windows\System32\svchost.exe[1716] c:\windows\system32\IPHLPAPI.DLL!SendARP 000007fefa2bf354 5 bytes JMP 000007fefec210ef
.text C:\Windows\System32\svchost.exe[1716] c:\windows\system32\IPHLPAPI.DLL!GetIpNetTable2 000007fefa2c8520 6 bytes JMP 000007fefec21089
.text C:\Windows\System32\svchost.exe[1716] c:\windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefcae5738 7 bytes JMP 000007fefec21188
.text C:\Windows\System32\svchost.exe[1716] c:\windows\system32\DNSAPI.dll!DnsQuery_W 000007fefcaf01b0 7 bytes JMP 000007fefec211bb
.text C:\Windows\System32\svchost.exe[1716] c:\windows\system32\DNSAPI.dll!DnsQuery_A 000007fefcb0db10 7 bytes JMP 000007fefec21155
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\CRYPT32.dll!CertAddEncodedCertificateToStore 000007fefd828f08 7 bytes JMP 000007fefec21386
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\CRYPT32.dll!CertAddCRLContextToStore 000007fefd84cd00 5 bytes JMP 000007fefec21353
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\CRYPT32.dll!CertCreateSelfSignCertificate 000007fefd8764fc 5 bytes JMP 000007fefec213b9
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryW 000007fefdba1c00 10 bytes JMP 000007fefec214b8
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryW 000007fefdbae610 5 bytes JMP 000007fefec21452
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryA 000007fefdbae9d0 7 bytes JMP 000007fefec2141f
.text C:\Windows\System32\svchost.exe[1716] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryA 000007fefdbafc50 7 bytes JMP 000007fefec21485
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30c27
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30f57
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30fbd
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30bf4
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30c8d
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30dbf
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30cf3
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!K32EnumProcessModules 00000000778b4410 12 bytes JMP 0000000077c30a8f
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30df2
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c31089
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 0000000077c30ac2
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30ebe
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 0000000077c30a5c
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!K32GetModuleBaseNameW 00000000778d97a0 5 bytes JMP 0000000077c309f6
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778d9870 5 bytes JMP 0000000077c30a29
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!GetApplicationRestartSettings + 1 00000000778df641 4 bytes {JMP 0x3514b5}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!GetApplicationRecoveryCallback 00000000778df650 7 bytes JMP 0000000077c309c3
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c310ef
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\RPCRT4.dll!RpcBindingSetObject 000007fefe13e4b0 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe756d10 11 bytes JMP 000007fefec2075f
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe7624f8 5 bytes JMP 000007fefec20792
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ole32.dll!CoGetObject 000007fefe893900 5 bytes JMP 000007fefec207c5
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 5 bytes JMP 000007fefec206c6
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 6 bytes JMP 000007fefec20660
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 5 bytes JMP 000007fefec2062d
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 5 bytes JMP 000007fefec20693
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 9 bytes JMP 000007fefec2072c
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 9 bytes JMP 000007fefec206f9
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007fefec20363
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 9 bytes JMP 000007fefec20330
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 8 bytes JMP 000007fefec20231
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007fefec203fc
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 7 bytes JMP 000007fefec200cc
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeafe514 5 bytes JMP 000007fefec205c7
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 8 bytes JMP 000007fefec20264
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007fefec203c9
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 9 bytes JMP 000007fefec20297
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007fefec20396
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefeb09d6c 5 bytes JMP 000007fefec20594
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb0a830 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 7 bytes JMP 000007fefec20198
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefeb14a50 5 bytes JMP 000007fefec20000
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 11 bytes JMP 000007fefec202fd
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 9 bytes JMP 000007fefec202ca
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 7 bytes JMP 000007fefec20165
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 000007fefeb2a5e9 4 bytes {JMP 0xf5a7e}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 000007fefeb2a5f5 4 bytes {JMP 0xf5a3f}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb2a600 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 14 000007fefeb2a60e 1 byte INT3
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb2a66c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 14 000007fefeb2a67a 1 byte INT3
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007fefec20561
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007fefec2052e
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 7 bytes JMP 000007fefec20099
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007fefec20462
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007fefec205fa
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007fefec2042f
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007fefec20495
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007fefec204c8
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007fefec204fb
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 7 bytes JMP 000007fefec201fe
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 7 bytes JMP 000007fefec201cb
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 7 bytes JMP 000007fefec20132
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 7 bytes JMP 000007fefec200ff
.text C:\Windows\System32\svchost.exe[1928] c:\windows\system32\SspiCli.dll!GetUserNameExW 000007fefd591118 7 bytes JMP 000007fefec208f7
.text C:\Windows\System32\svchost.exe[1928] c:\windows\system32\SspiCli.dll!GetUserNameExA 000007fefd591640 7 bytes JMP 000007fefec208c4
.text C:\Windows\System32\svchost.exe[1928] c:\windows\system32\SspiCli.dll!LsaCallAuthenticationPackage 000007fefd5955b8 5 bytes JMP 000007fefec2092a
.text C:\Windows\System32\svchost.exe[1928] c:\windows\system32\SspiCli.dll!EnumerateSecurityPackagesW 000007fefd597358 5 bytes JMP 000007fefec20891
.text C:\Windows\System32\svchost.exe[1928] c:\windows\system32\SspiCli.dll!EnumerateSecurityPackagesA 000007fefd5a57c0 5 bytes JMP 000007fefec2085e
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryW 000007fefdba1c00 10 bytes JMP 000007fefec209f6
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryW 000007fefdbae610 5 bytes JMP 000007fefec20990
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryA 000007fefdbae9d0 7 bytes JMP 000007fefec2095d
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryA 000007fefdbafc50 7 bytes JMP 000007fefec209c3
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\CRYPTSP.dll!CryptAcquireContextW 000007fefccc3b98 7 bytes JMP 000007fefec20ac2
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\CRYPTSP.dll!CryptAcquireContextA 000007fefccc3ca8 5 bytes JMP 000007fefec20a8f
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\CRYPTSP.dll!CryptExportKey 000007fefccc55ac 7 bytes JMP 000007fefec20b28
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\CRYPTSP.dll!CryptImportKey 000007fefccc56fc 7 bytes JMP 000007fefec20bc1
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\CRYPTSP.dll!CryptCreateHash 000007fefccc5be4 7 bytes JMP 000007fefec20af5
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\CRYPTSP.dll!CryptHashData 000007fefccc5f80 7 bytes JMP 000007fefec20b8e
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\CRYPTSP.dll!CryptGetHashParam 000007fefccc698c 7 bytes JMP 000007fefec20b5b
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\CRYPT32.dll!CertAddEncodedCertificateToStore 000007fefd828f08 7 bytes JMP 000007fefec20cf3
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\CRYPT32.dll!CertAddCRLContextToStore 000007fefd84cd00 5 bytes JMP 000007fefec20cc0
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\CRYPT32.dll!CertCreateSelfSignCertificate 000007fefd8764fc 5 bytes JMP 000007fefec20d26
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe9e13b0 5 bytes JMP 000007fefec20f24
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe9e18e0 5 bytes JMP 000007fefec20fbd
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WS2_32.dll!WSASocketW 000007fefe9e1bd0 5 bytes JMP 000007fefec20f8a
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WS2_32.dll!WSASocketA 000007fefe9e2010 11 bytes JMP 000007fefec20f57
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe9e23c0 5 bytes JMP 000007fefec20e8b
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WS2_32.dll!connect 000007fefe9e45c0 5 bytes JMP 000007fefec20ff0
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WS2_32.dll!send 000007fefe9e8000 5 bytes JMP 000007fefec21056
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe9e8df0 9 bytes JMP 000007fefec21023
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe9ec090 5 bytes JMP 000007fefec20e58
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WS2_32.dll!WSAIoctl 000007fefe9ed620 5 bytes JMP 000007fefec20ef1
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WS2_32.dll!sendto 000007fefe9ed7f0 7 bytes JMP 000007fefec21089
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WS2_32.dll!socket 000007fefe9ede90 5 bytes JMP 000007fefec210bc
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefea0e0f0 7 bytes JMP 000007fefec20ebe
.text C:\Windows\System32\svchost.exe[1928] c:\windows\system32\IPHLPAPI.DLL!GetAdaptersAddresses 000007fefa2b2aa4 5 bytes JMP 000007fefec210ef
.text C:\Windows\System32\svchost.exe[1928] c:\windows\system32\IPHLPAPI.DLL!GetAdaptersInfo 000007fefa2b792c 5 bytes JMP 000007fefec21122
.text C:\Windows\System32\svchost.exe[1928] c:\windows\system32\IPHLPAPI.DLL!ResolveIpNetEntry2 000007fefa2b8d44 7 bytes JMP 000007fefec211bb
.text C:\Windows\System32\svchost.exe[1928] c:\windows\system32\IPHLPAPI.DLL!GetIpNetTable 000007fefa2be51c 7 bytes JMP 000007fefec21155
.text C:\Windows\System32\svchost.exe[1928] c:\windows\system32\IPHLPAPI.DLL!SendARP 000007fefa2bf354 5 bytes JMP 000007fefec211ee
.text C:\Windows\System32\svchost.exe[1928] c:\windows\system32\IPHLPAPI.DLL!GetIpNetTable2 000007fefa2c8520 6 bytes JMP 000007fefec21188
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\NETAPI32.dll!NetWkstaGetInfo 000007fefbf61430 5 bytes JMP 000007fefec217b5
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\srvcli.dll!NetShareEnum 000007fefd4b1ad4 7 bytes JMP 000007fefec2171c
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\srvcli.dll!NetSessionEnum 000007fefd4b38f8 7 bytes JMP 000007fefec216e9
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\wkscli.dll!NetWkstaUserEnum 000007fefbf32efc 5 bytes JMP 000007fefec217e8
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\SAMCLI.DLL!NetUserGetInfo 000007fefbf11354 7 bytes JMP 000007fefec21782
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\SAMCLI.DLL!NetLocalGroupGetMembers 000007fefbf12210 7 bytes JMP 000007fefec21683
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\SAMCLI.DLL!NetUserEnum 000007fefbf163a0 7 bytes JMP 000007fefec2174f
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\SAMCLI.DLL!NetGroupGetUsers 000007fefbf1951c 7 bytes JMP 000007fefec2161d
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\SAMCLI.DLL!NetLocalGroupEnum 000007fefbf1a860 7 bytes JMP 000007fefec21650
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\LOGONCLI.DLL!DsGetDcNameW 000007fefcab14c0 9 bytes JMP 000007fefec21584
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\LOGONCLI.DLL!DsEnumerateDomainTrustsW 000007fefcab7a7c 7 bytes JMP 000007fefec2151e
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\LOGONCLI.DLL!NetGetDCName 000007fefcab7b24 7 bytes JMP 000007fefec215ea
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\LOGONCLI.DLL!DsGetDcNameA 000007fefcabc860 9 bytes JMP 000007fefec21551
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\LOGONCLI.DLL!NetGetAnyDCName 000007fefcabcd5c 8 bytes JMP 000007fefec215b7
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\LOGONCLI.DLL!DsEnumerateDomainTrustsA 000007fefcabeb90 7 bytes JMP 000007fefec214eb
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\BROWCLI.DLL!NetServerEnum 000007fef1c62cd0 7 bytes JMP 000007fefec216b6
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WINSPOOL.DRV!AddMonitorA 000007fef1b579d4 7 bytes JMP 000007fefec2184e
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WINSPOOL.DRV!DeleteMonitorA 000007fef1b57a98 5 bytes JMP 000007fefec218b4
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WINSPOOL.DRV!AddMonitorW 000007fef1b6582c 5 bytes JMP 000007fefec21881
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\system32\WINSPOOL.DRV!DeleteMonitorW 000007fef1b65904 5 bytes JMP 000007fefec218e7
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\SAMLIB.dll!SamSetInformationUser 000007fef5825a34 6 bytes JMP 000007fefec2194d
.text C:\Windows\System32\svchost.exe[1928] C:\Windows\System32\SAMLIB.dll!SamiChangePasswordUser 000007fef582639c 6 bytes JMP 000007fefec21980
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30c27
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30f57
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30fbd
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30bf4
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30c8d
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30dbf
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30cf3
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!K32EnumProcessModules 00000000778b4410 12 bytes JMP 0000000077c30a8f
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30df2
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c31089
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 0000000077c30ac2
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30ebe
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 0000000077c30a5c
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!K32GetModuleBaseNameW 00000000778d97a0 5 bytes JMP 0000000077c309f6
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778d9870 5 bytes JMP 0000000077c30a29
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!GetApplicationRestartSettings + 1 00000000778df641 4 bytes {JMP 0x3514b5}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!GetApplicationRecoveryCallback 00000000778df650 7 bytes JMP 0000000077c309c3
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c310ef
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\RPCRT4.dll!RpcBindingSetObject 000007fefe13e4b0 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe756d10 11 bytes JMP 000007fefec2075f
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe7624f8 5 bytes JMP 000007fefec20792
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ole32.dll!CoGetObject 000007fefe893900 5 bytes JMP 000007fefec207c5
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 5 bytes JMP 000007fefec206c6
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 6 bytes JMP 000007fefec20660
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 5 bytes JMP 000007fefec2062d
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 5 bytes JMP 000007fefec20693
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 9 bytes JMP 000007fefec2072c
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 9 bytes JMP 000007fefec206f9
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007fefec20363
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 9 bytes JMP 000007fefec20330
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 8 bytes JMP 000007fefec20231
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007fefec203fc
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 7 bytes JMP 000007fefec200cc
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeafe514 5 bytes JMP 000007fefec205c7
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 8 bytes JMP 000007fefec20264
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007fefec203c9
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 9 bytes JMP 000007fefec20297
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007fefec20396
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefeb09d6c 5 bytes JMP 000007fefec20594
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb0a830 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 7 bytes JMP 000007fefec20198
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefeb14a50 5 bytes JMP 000007fefec20000
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 11 bytes JMP 000007fefec202fd
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 9 bytes JMP 000007fefec202ca
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 7 bytes JMP 000007fefec20165
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 000007fefeb2a5e9 4 bytes {JMP 0xf5a7e}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 000007fefeb2a5f5 4 bytes {JMP 0xf5a3f}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb2a600 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 14 000007fefeb2a60e 1 byte INT3
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb2a66c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 14 000007fefeb2a67a 1 byte INT3
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007fefec20561
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007fefec2052e
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 7 bytes JMP 000007fefec20099
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007fefec20462
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007fefec205fa
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007fefec2042f
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007fefec20495
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007fefec204c8
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007fefec204fb
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 7 bytes JMP 000007fefec201fe
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 7 bytes JMP 000007fefec201cb
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 7 bytes JMP 000007fefec20132
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 7 bytes JMP 000007fefec200ff
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextW 000007fefccc3b98 7 bytes JMP 000007fefec2085e
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextA 000007fefccc3ca8 5 bytes JMP 000007fefec2082b
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\CRYPTSP.dll!CryptExportKey 000007fefccc55ac 7 bytes JMP 000007fefec208c4
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\CRYPTSP.dll!CryptImportKey 000007fefccc56fc 7 bytes JMP 000007fefec2095d
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\CRYPTSP.dll!CryptCreateHash 000007fefccc5be4 7 bytes JMP 000007fefec20891
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\CRYPTSP.dll!CryptHashData 000007fefccc5f80 7 bytes JMP 000007fefec2092a
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\CRYPTSP.dll!CryptGetHashParam 000007fefccc698c 7 bytes JMP 000007fefec208f7
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\winhttp.dll!WinHttpOpen 000007fef0d93428 5 bytes JMP 000007fefec209c3
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\SSPICLI.DLL!GetUserNameExW 000007fefd591118 7 bytes JMP 000007fefec20af5
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\SSPICLI.DLL!GetUserNameExA 000007fefd591640 7 bytes JMP 000007fefec20ac2
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\SSPICLI.DLL!LsaCallAuthenticationPackage 000007fefd5955b8 5 bytes JMP 000007fefec20b28
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\SSPICLI.DLL!EnumerateSecurityPackagesW 000007fefd597358 5 bytes JMP 000007fefec20a8f
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\SSPICLI.DLL!EnumerateSecurityPackagesA 000007fefd5a57c0 5 bytes JMP 000007fefec20a5c
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe9e13b0 5 bytes JMP 000007fefec20c5a
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe9e18e0 5 bytes JMP 000007fefec20cf3
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\WS2_32.dll!WSASocketW 000007fefe9e1bd0 5 bytes JMP 000007fefec20cc0
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\WS2_32.dll!WSASocketA 000007fefe9e2010 11 bytes JMP 000007fefec20c8d
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe9e23c0 5 bytes JMP 000007fefec20bc1
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\WS2_32.dll!connect 000007fefe9e45c0 5 bytes JMP 000007fefec20d26
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\WS2_32.dll!send 000007fefe9e8000 5 bytes JMP 000007fefec20d8c
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe9e8df0 9 bytes JMP 000007fefec20d59
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe9ec090 5 bytes JMP 000007fefec20b8e
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\WS2_32.dll!WSAIoctl 000007fefe9ed620 5 bytes JMP 000007fefec20c27
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\WS2_32.dll!sendto 000007fefe9ed7f0 7 bytes JMP 000007fefec20dbf
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\WS2_32.dll!socket 000007fefe9ede90 5 bytes JMP 000007fefec20df2
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefea0e0f0 7 bytes JMP 000007fefec20bf4
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\IPHLPAPI.DLL!GetAdaptersAddresses 000007fefa2b2aa4 5 bytes JMP 000007fefec20e58
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\IPHLPAPI.DLL!GetAdaptersInfo 000007fefa2b792c 5 bytes JMP 000007fefec20e8b
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\IPHLPAPI.DLL!ResolveIpNetEntry2 000007fefa2b8d44 7 bytes JMP 000007fefec20f24
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\IPHLPAPI.DLL!GetIpNetTable 000007fefa2be51c 7 bytes JMP 000007fefec20ebe
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\IPHLPAPI.DLL!SendARP 000007fefa2bf354 5 bytes JMP 000007fefec20f57
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\IPHLPAPI.DLL!GetIpNetTable2 000007fefa2c8520 6 bytes JMP 000007fefec20ef1
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefcae5738 7 bytes JMP 000007fefec20ff0
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefcaf01b0 7 bytes JMP 000007fefec21023
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefcb0db10 7 bytes JMP 000007fefec20fbd
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\CRYPT32.dll!CertAddEncodedCertificateToStore 000007fefd828f08 7 bytes JMP 000007fefec21122
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\CRYPT32.dll!CertAddCRLContextToStore 000007fefd84cd00 5 bytes JMP 000007fefec210ef
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\CRYPT32.dll!CertCreateSelfSignCertificate 000007fefd8764fc 5 bytes JMP 000007fefec21155
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryW 000007fefdba1c00 10 bytes JMP 000007fefec21254
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryW 000007fefdbae610 5 bytes JMP 000007fefec211ee
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryA 000007fefdbae9d0 7 bytes JMP 000007fefec211bb
.text C:\Windows\system32\svchost.exe[556] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryA 000007fefdbafc50 7 bytes JMP 000007fefec21221
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30c27
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30f57
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30fbd
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30bf4
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30c8d
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30dbf
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30cf3
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!K32EnumProcessModules 00000000778b4410 12 bytes JMP 0000000077c30a8f
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30df2
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c31089
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 0000000077c30ac2
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30ebe
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 0000000077c30a5c
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!K32GetModuleBaseNameW 00000000778d97a0 5 bytes JMP 0000000077c309f6
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778d9870 5 bytes JMP 0000000077c30a29
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!GetApplicationRestartSettings + 1 00000000778df641 4 bytes {JMP 0x3514b5}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!GetApplicationRecoveryCallback 00000000778df650 7 bytes JMP 0000000077c309c3
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c310ef
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\RPCRT4.dll!RpcBindingSetObject 000007fefe13e4b0 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe756d10 11 bytes JMP 000007fefec2075f
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe7624f8 5 bytes JMP 000007fefec20792
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ole32.dll!CoGetObject 000007fefe893900 5 bytes JMP 000007fefec207c5
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 5 bytes JMP 000007fefec206c6
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 6 bytes JMP 000007fefec20660
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 5 bytes JMP 000007fefec2062d
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 5 bytes JMP 000007fefec20693
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 9 bytes JMP 000007fefec2072c
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 9 bytes JMP 000007fefec206f9
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007fefec20363
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 9 bytes JMP 000007fefec20330
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 8 bytes JMP 000007fefec20231
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007fefec203fc
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 7 bytes JMP 000007fefec200cc
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeafe514 5 bytes JMP 000007fefec205c7
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 8 bytes JMP 000007fefec20264
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007fefec203c9
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 9 bytes JMP 000007fefec20297
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007fefec20396
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefeb09d6c 5 bytes JMP 000007fefec20594
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb0a830 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 7 bytes JMP 000007fefec20198
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefeb14a50 5 bytes JMP 000007fefec20000
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 11 bytes JMP 000007fefec202fd
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 9 bytes JMP 000007fefec202ca
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 7 bytes JMP 000007fefec20165
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 000007fefeb2a5e9 4 bytes {JMP 0xf5a7e}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 000007fefeb2a5f5 4 bytes {JMP 0xf5a3f}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb2a600 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 14 000007fefeb2a60e 1 byte INT3
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb2a66c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 14 000007fefeb2a67a 1 byte INT3
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007fefec20561
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007fefec2052e
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 7 bytes JMP 000007fefec20099
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007fefec20462
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007fefec205fa
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007fefec2042f
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007fefec20495
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007fefec204c8
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007fefec204fb
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 7 bytes JMP 000007fefec201fe
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 7 bytes JMP 000007fefec201cb
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 7 bytes JMP 000007fefec20132
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 7 bytes JMP 000007fefec200ff
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryW 000007fefdba1c00 10 bytes JMP 000007fefec208c4
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryW 000007fefdbae610 5 bytes JMP 000007fefec2085e
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryA 000007fefdbae9d0 7 bytes JMP 000007fefec2082b
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryA 000007fefdbafc50 7 bytes JMP 000007fefec20891
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextW 000007fefccc3b98 7 bytes JMP 000007fefec2095d
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextA 000007fefccc3ca8 5 bytes JMP 000007fefec2092a
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\CRYPTSP.dll!CryptExportKey 000007fefccc55ac 7 bytes JMP 000007fefec209c3
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\CRYPTSP.dll!CryptImportKey 000007fefccc56fc 7 bytes JMP 000007fefec20a5c
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\CRYPTSP.dll!CryptCreateHash 000007fefccc5be4 7 bytes JMP 000007fefec20990
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\CRYPTSP.dll!CryptHashData 000007fefccc5f80 7 bytes JMP 000007fefec20a29
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\CRYPTSP.dll!CryptGetHashParam 000007fefccc698c 7 bytes JMP 000007fefec209f6
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe9e13b0 5 bytes JMP 000007fefec20b8e
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe9e18e0 5 bytes JMP 000007fefec20c27
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!WSASocketW 000007fefe9e1bd0 5 bytes JMP 000007fefec20bf4
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!WSASocketA 000007fefe9e2010 11 bytes JMP 000007fefec20bc1
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe9e23c0 5 bytes JMP 000007fefec20af5
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!connect 000007fefe9e45c0 5 bytes JMP 000007fefec20c5a
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!send 000007fefe9e8000 5 bytes JMP 000007fefec20cc0
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe9e8df0 9 bytes JMP 000007fefec20c8d
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe9ec090 5 bytes JMP 000007fefec20ac2
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!WSAIoctl 000007fefe9ed620 5 bytes JMP 000007fefec20b5b
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!sendto 000007fefe9ed7f0 7 bytes JMP 000007fefec20cf3
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!socket 000007fefe9ede90 5 bytes JMP 000007fefec20d26
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefea0e0f0 7 bytes JMP 000007fefec20b28
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\CRYPT32.dll!CertAddEncodedCertificateToStore 000007fefd828f08 7 bytes JMP 000007fefec20dbf
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\CRYPT32.dll!CertAddCRLContextToStore 000007fefd84cd00 5 bytes JMP 000007fefec20d8c
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\CRYPT32.dll!CertCreateSelfSignCertificate 000007fefd8764fc 5 bytes JMP 000007fefec20df2
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\SHELL32.dll!ShellExecuteW 000007feff019844 11 bytes JMP 000007fefec20f57
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW 000007feff01dc78 5 bytes JMP 000007fefec20f8a
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\SHELL32.dll!ShellExecuteExW 000007feff024f6c 5 bytes JMP 000007fefec20f24
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\SHELL32.dll!ShellExecuteEx 000007feff260430 5 bytes JMP 000007fefec20ef1
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\SHELL32.dll!ShellExecuteA 000007feff260530 11 bytes JMP 000007fefec20ebe
.text C:\Windows\system32\svchost.exe[2072] c:\windows\system32\NETAPI32.dll!NetWkstaGetInfo 000007fefbf61430 5 bytes JMP 000007fefec21287
.text C:\Windows\system32\svchost.exe[2072] c:\windows\system32\srvcli.dll!NetShareEnum 000007fefd4b1ad4 7 bytes JMP 000007fefec211ee
.text C:\Windows\system32\svchost.exe[2072] c:\windows\system32\srvcli.dll!NetSessionEnum 000007fefd4b38f8 7 bytes JMP 000007fefec211bb
.text C:\Windows\system32\svchost.exe[2072] c:\windows\system32\wkscli.dll!NetWkstaUserEnum 000007fefbf32efc 5 bytes JMP 000007fefec212ba
.text C:\Windows\system32\svchost.exe[2072] c:\windows\system32\SspiCli.dll!GetUserNameExW 000007fefd591118 7 bytes JMP 000007fefec21386
.text C:\Windows\system32\svchost.exe[2072] c:\windows\system32\SspiCli.dll!GetUserNameExA 000007fefd591640 7 bytes JMP 000007fefec21353
.text C:\Windows\system32\svchost.exe[2072] c:\windows\system32\SspiCli.dll!LsaCallAuthenticationPackage 000007fefd5955b8 5 bytes JMP 000007fefec213b9
.text C:\Windows\system32\svchost.exe[2072] c:\windows\system32\SspiCli.dll!EnumerateSecurityPackagesW 000007fefd597358 5 bytes JMP 000007fefec21320
.text C:\Windows\system32\svchost.exe[2072] c:\windows\system32\SspiCli.dll!EnumerateSecurityPackagesA 000007fefd5a57c0 5 bytes JMP 000007fefec212ed
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\LOGONCLI.DLL!DsGetDcNameW 000007fefcab14c0 9 bytes JMP 000007fefec21056
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\LOGONCLI.DLL!DsEnumerateDomainTrustsW 000007fefcab7a7c 7 bytes JMP 000007fefec20ff0
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\LOGONCLI.DLL!NetGetDCName 000007fefcab7b24 7 bytes JMP 000007fefec210bc
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\LOGONCLI.DLL!DsGetDcNameA 000007fefcabc860 9 bytes JMP 000007fefec21023
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\LOGONCLI.DLL!NetGetAnyDCName 000007fefcabcd5c 8 bytes JMP 000007fefec21089
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\LOGONCLI.DLL!DsEnumerateDomainTrustsA 000007fefcabeb90 7 bytes JMP 000007fefec20fbd
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\SAMCLI.DLL!NetUserGetInfo 000007fefbf11354 7 bytes JMP 000007fefec21254
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\SAMCLI.DLL!NetLocalGroupGetMembers 000007fefbf12210 7 bytes JMP 000007fefec21155
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\SAMCLI.DLL!NetUserEnum 000007fefbf163a0 7 bytes JMP 000007fefec21221
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\SAMCLI.DLL!NetGroupGetUsers 000007fefbf1951c 7 bytes JMP 000007fefec210ef
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\SAMCLI.DLL!NetLocalGroupEnum 000007fefbf1a860 7 bytes JMP 000007fefec21122
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\BROWCLI.DLL!NetServerEnum 000007fef1c62cd0 7 bytes JMP 000007fefec21188
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\IPHLPAPI.DLL!GetAdaptersAddresses 000007fefa2b2aa4 5 bytes JMP 000007fefec214b8
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\IPHLPAPI.DLL!GetAdaptersInfo 000007fefa2b792c 5 bytes JMP 000007fefec214eb
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\IPHLPAPI.DLL!ResolveIpNetEntry2 000007fefa2b8d44 7 bytes JMP 000007fefec21584
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\IPHLPAPI.DLL!GetIpNetTable 000007fefa2be51c 7 bytes JMP 000007fefec2151e
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\IPHLPAPI.DLL!SendARP 000007fefa2bf354 5 bytes JMP 000007fefec215b7
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\IPHLPAPI.DLL!GetIpNetTable2 000007fefa2c8520 6 bytes JMP 000007fefec21551
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\SAMLIB.dll!SamSetInformationUser 000007fef5825a34 6 bytes JMP 000007fefec2161d
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\SAMLIB.dll!SamiChangePasswordUser 000007fef582639c 6 bytes JMP 000007fefec21650
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefcae5738 7 bytes JMP 000007fefec216e9
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefcaf01b0 7 bytes JMP 000007fefec2171c
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefcb0db10 7 bytes JMP 000007fefec216b6
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\WINHTTP.dll!WinHttpOpen 000007fef0d93428 5 bytes JMP 000007fefec218b4
.text C:\Windows\system32\svchost.exe[2072] c:\windows\system32\WINSPOOL.DRV!AddMonitorA 000007fef1b579d4 7 bytes JMP 000007fefec21ab2
.text C:\Windows\system32\svchost.exe[2072] c:\windows\system32\WINSPOOL.DRV!DeleteMonitorA 000007fef1b57a98 5 bytes JMP 000007fefec21b18
.text C:\Windows\system32\svchost.exe[2072] c:\windows\system32\WINSPOOL.DRV!AddMonitorW 000007fef1b6582c 5 bytes JMP 000007fefec21ae5
.text C:\Windows\system32\svchost.exe[2072] c:\windows\system32\WINSPOOL.DRV!DeleteMonitorW 000007fef1b65904 5 bytes JMP 000007fefec21b4b
.text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\psapi.dll!EnumDeviceDrivers 0000000000371134 5 bytes JMP 0000000077c31daf
.text C:\Program Files\Bitdefender\Bitdefender Security\bdntwrk.exe[2228] C:\Windows\system32\kernel32.dll!LoadLibraryExA + 1 000000007786d851 4 bytes {JMP 0xffffffffbfff29e8}
.text C:\Program Files\Bitdefender\Bitdefender Security\bdntwrk.exe[2228] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000037860178
.text C:\Program Files\Bitdefender\Bitdefender Security\bdntwrk.exe[2228] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 00000000378601d8
.text C:\Program Files\Bitdefender\Bitdefender Security\bdntwrk.exe[2228] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda59ac0 5 bytes JMP 000007febda40178
.text C:\Program Files\Bitdefender\Bitdefender Security\bdntwrk.exe[2228] C:\Windows\system32\WINTRUST.dll!WinVerifyTrust 000007fefdb41010 5 bytes JMP 000007febda401d8
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30c27
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30f57
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30fbd
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30bf4
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30c8d
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30dbf
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30cf3
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!K32EnumProcessModules 00000000778b4410 12 bytes JMP 0000000077c30a8f
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30df2
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c31089
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 0000000077c30ac2
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30ebe
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 0000000077c30a5c
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!K32GetModuleBaseNameW 00000000778d97a0 5 bytes JMP 0000000077c309f6
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778d9870 5 bytes JMP 0000000077c30a29
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!GetApplicationRestartSettings + 1 00000000778df641 4 bytes {JMP 0x3514b5}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!GetApplicationRecoveryCallback 00000000778df650 7 bytes JMP 0000000077c309c3
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c310ef
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\RPCRT4.dll!RpcBindingSetObject 000007fefe13e4b0 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe756d10 11 bytes JMP 000007fefec2075f
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe7624f8 5 bytes JMP 000007fefec20792
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ole32.dll!CoGetObject 000007fefe893900 5 bytes JMP 000007fefec207c5
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 5 bytes JMP 000007fefec206c6
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 6 bytes JMP 000007fefec20660
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 5 bytes JMP 000007fefec2062d
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 5 bytes JMP 000007fefec20693
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 9 bytes JMP 000007fefec2072c
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 9 bytes JMP 000007fefec206f9
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007fefec20363
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 9 bytes JMP 000007fefec20330
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 8 bytes JMP 000007fefec20231
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007fefec203fc
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 7 bytes JMP 000007fefec200cc
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeafe514 5 bytes JMP 000007fefec205c7
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 8 bytes JMP 000007fefec20264
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007fefec203c9
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 9 bytes JMP 000007fefec20297
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007fefec20396
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefeb09d6c 5 bytes JMP 000007fefec20594
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb0a830 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 7 bytes JMP 000007fefec20198
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefeb14a50 5 bytes JMP 000007fefec20000
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 11 bytes JMP 000007fefec202fd
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 9 bytes JMP 000007fefec202ca
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 7 bytes JMP 000007fefec20165
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 000007fefeb2a5e9 4 bytes {JMP 0xf5a7e}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 000007fefeb2a5f5 4 bytes {JMP 0xf5a3f}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb2a600 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 14 000007fefeb2a60e 1 byte INT3
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb2a66c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 14 000007fefeb2a67a 1 byte INT3
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007fefec20561
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007fefec2052e
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 7 bytes JMP 000007fefec20099
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007fefec20462
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007fefec205fa
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007fefec2042f
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007fefec20495
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007fefec204c8
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007fefec204fb
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 7 bytes JMP 000007fefec201fe
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 7 bytes JMP 000007fefec201cb
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 7 bytes JMP 000007fefec20132
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 7 bytes JMP 000007fefec200ff
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe9e13b0 5 bytes JMP 000007fefec2092a
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe9e18e0 5 bytes JMP 000007fefec209c3
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\WS2_32.dll!WSASocketW 000007fefe9e1bd0 5 bytes JMP 000007fefec20990
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\WS2_32.dll!WSASocketA 000007fefe9e2010 11 bytes JMP 000007fefec2095d
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe9e23c0 5 bytes JMP 000007fefec20891
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\WS2_32.dll!connect 000007fefe9e45c0 5 bytes JMP 000007fefec209f6
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\WS2_32.dll!send 000007fefe9e8000 5 bytes JMP 000007fefec20a5c
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe9e8df0 9 bytes JMP 000007fefec20a29
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe9ec090 5 bytes JMP 000007fefec2085e
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\WS2_32.dll!WSAIoctl 000007fefe9ed620 5 bytes JMP 000007fefec208f7
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\WS2_32.dll!sendto 000007fefe9ed7f0 7 bytes JMP 000007fefec20a8f
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\WS2_32.dll!socket 000007fefe9ede90 5 bytes JMP 000007fefec20ac2
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefea0e0f0 7 bytes JMP 000007fefec208c4
.text C:\Windows\system32\svchost.exe[2808] c:\windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefcae5738 7 bytes JMP 000007fefec20b28
.text C:\Windows\system32\svchost.exe[2808] c:\windows\system32\DNSAPI.dll!DnsQuery_W 000007fefcaf01b0 7 bytes JMP 000007fefec20b5b
.text C:\Windows\system32\svchost.exe[2808] c:\windows\system32\DNSAPI.dll!DnsQuery_A 000007fefcb0db10 7 bytes JMP 000007fefec20af5
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryW 000007fefdba1c00 10 bytes JMP 000007fefec20c5a
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryW 000007fefdbae610 5 bytes JMP 000007fefec20bf4
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryA 000007fefdbae9d0 7 bytes JMP 000007fefec20bc1
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryA 000007fefdbafc50 7 bytes JMP 000007fefec20c27
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\iphlpapi.dll!GetAdaptersAddresses 000007fefa2b2aa4 5 bytes JMP 000007fefec20d26
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\iphlpapi.dll!GetAdaptersInfo 000007fefa2b792c 5 bytes JMP 000007fefec20d59
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\iphlpapi.dll!ResolveIpNetEntry2 000007fefa2b8d44 7 bytes JMP 000007fefec20df2
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\iphlpapi.dll!GetIpNetTable 000007fefa2be51c 7 bytes JMP 000007fefec20d8c
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\iphlpapi.dll!SendARP 000007fefa2bf354 5 bytes JMP 000007fefec20e25
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\iphlpapi.dll!GetIpNetTable2 000007fefa2c8520 6 bytes JMP 000007fefec20dbf
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\SspiCli.dll!GetUserNameExW 000007fefd591118 7 bytes JMP 000007fefec20f24
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\SspiCli.dll!GetUserNameExA 000007fefd591640 7 bytes JMP 000007fefec20ef1
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\SspiCli.dll!LsaCallAuthenticationPackage 000007fefd5955b8 5 bytes JMP 000007fefec20f57
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\SspiCli.dll!EnumerateSecurityPackagesW 000007fefd597358 5 bytes JMP 000007fefec20ebe
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\SspiCli.dll!EnumerateSecurityPackagesA 000007fefd5a57c0 5 bytes JMP 000007fefec20e8b
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\CRYPT32.dll!CertAddEncodedCertificateToStore 000007fefd828f08 7 bytes JMP 000007fefec20ff0
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\CRYPT32.dll!CertAddCRLContextToStore 000007fefd84cd00 5 bytes JMP 000007fefec20fbd
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\CRYPT32.dll!CertCreateSelfSignCertificate 000007fefd8764fc 5 bytes JMP 000007fefec21023
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\SAMLIB.dll!SamSetInformationUser 000007fef5825a34 6 bytes JMP 000007fefec21089
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\SAMLIB.dll!SamiChangePasswordUser 000007fef582639c 6 bytes JMP 000007fefec210bc
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextW 000007fefccc3b98 7 bytes JMP 000007fefec21155
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextA 000007fefccc3ca8 5 bytes JMP 000007fefec21122
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\CRYPTSP.dll!CryptExportKey 000007fefccc55ac 7 bytes JMP 000007fefec211bb
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\CRYPTSP.dll!CryptImportKey 000007fefccc56fc 7 bytes JMP 000007fefec21254
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\CRYPTSP.dll!CryptCreateHash 000007fefccc5be4 7 bytes JMP 000007fefec21188
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\CRYPTSP.dll!CryptHashData 000007fefccc5f80 7 bytes JMP 000007fefec21221
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\CRYPTSP.dll!CryptGetHashParam 000007fefccc698c 7 bytes JMP 000007fefec211ee
.text C:\Windows\system32\svchost.exe[2808] c:\windows\system32\WINHTTP.dll!WinHttpOpen 000007fef0d93428 5 bytes JMP 000007fefec212ba
.text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\psapi.dll!EnumDeviceDrivers 00000000006c1134 5 bytes JMP 0000000077c31daf
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007786a3e0 7 bytes JMP 000000006fff0228
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077873ef0 5 bytes JMP 000000006fff0180
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007788fff0 5 bytes JMP 000000006fff01b8
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007789f3e0 5 bytes JMP 000000006fff0110
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 000000006fff00d8
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 000000006fff0148
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000778f8aa0 7 bytes JMP 000000006fff01f0
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefda432f0 7 bytes JMP 000007fefda300d8
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefda4aa60 5 bytes JMP 000007fefda30180
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefda4ac00 5 bytes JMP 000007fefda30110
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda59ac0 5 bytes JMP 000007fefda30148
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefedb8980 8 bytes JMP 000007fefda301f0
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefedbbdf0 8 bytes JMP 000007fefda301b8
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe756d10 11 bytes JMP 000007fefda30228
.text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[2888] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe76b4f0 7 bytes JMP 000007fefda30260
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30c27
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30f57
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30fbd
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30bf4
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30c8d
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30dbf
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30cf3
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!K32EnumProcessModules 00000000778b4410 12 bytes JMP 0000000077c30a8f
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30df2
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c31089
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 0000000077c30ac2
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30ebe
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 0000000077c30a5c
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!K32GetModuleBaseNameW 00000000778d97a0 5 bytes JMP 0000000077c309f6
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778d9870 5 bytes JMP 0000000077c30a29
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!GetApplicationRestartSettings + 1 00000000778df641 4 bytes {JMP 0x3514b5}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!GetApplicationRecoveryCallback 00000000778df650 7 bytes JMP 0000000077c309c3
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c310ef
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\RPCRT4.dll!RpcBindingSetObject 000007fefe13e4b0 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007fefebf0363
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 9 bytes JMP 000007fefebf0330
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 8 bytes JMP 000007fefebf0231
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007fefebf03fc
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 7 bytes JMP 000007fefebf00cc
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeafe514 5 bytes JMP 000007fefebf05c7
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 8 bytes JMP 000007fefebf0264
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007fefebf03c9
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 9 bytes JMP 000007fefebf0297
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007fefebf0396
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefeb09d6c 5 bytes JMP 000007fefebf0594
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb0a830 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 7 bytes JMP 000007fefebf0198
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefeb14a50 5 bytes JMP 000007fefebf0000
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 11 bytes JMP 000007fefebf02fd
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 9 bytes JMP 000007fefebf02ca
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 7 bytes JMP 000007fefebf0165
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 000007fefeb2a5e9 4 bytes {JMP 0xc5a7e}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 000007fefeb2a5f5 4 bytes {JMP 0xc5a3f}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb2a600 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 14 000007fefeb2a60e 1 byte INT3
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb2a66c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 14 000007fefeb2a67a 1 byte INT3
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007fefebf0561
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007fefebf052e
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 7 bytes JMP 000007fefebf0099
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007fefebf0462
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007fefebf05fa
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007fefebf042f
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007fefebf0495
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007fefebf04c8
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007fefebf04fb
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 7 bytes JMP 000007fefebf01fe
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 7 bytes JMP 000007fefebf01cb
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 7 bytes JMP 000007fefebf0132
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 7 bytes JMP 000007fefebf00ff
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 5 bytes JMP 000007fefebf06c6
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 6 bytes JMP 000007fefebf0660
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 5 bytes JMP 000007fefebf062d
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 5 bytes JMP 000007fefebf0693
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 9 bytes JMP 000007fefebf072c
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 9 bytes JMP 000007fefebf06f9
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe756d10 11 bytes JMP 000007fefebf075f
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe7624f8 5 bytes JMP 000007fefebf0792
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\ole32.dll!CoGetObject 000007fefe893900 5 bytes JMP 000007fefebf07c5
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8 000007fefcae5738 7 bytes JMP 000007fefebf0ac2
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\DNSAPI.dll!DnsQuery_W 000007fefcaf01b0 7 bytes JMP 000007fefebf0af5
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\DNSAPI.dll!DnsQuery_A 000007fefcb0db10 7 bytes JMP 000007fefebf0a8f
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe9e13b0 5 bytes JMP 000007fefebf08c4
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe9e18e0 5 bytes JMP 000007fefebf095d
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\WS2_32.dll!WSASocketW 000007fefe9e1bd0 5 bytes JMP 000007fefebf092a
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\WS2_32.dll!WSASocketA 000007fefe9e2010 11 bytes JMP 000007fefebf08f7
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe9e23c0 5 bytes JMP 000007fefebf082b
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\WS2_32.dll!connect 000007fefe9e45c0 5 bytes JMP 000007fefebf0990
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\WS2_32.dll!send 000007fefe9e8000 5 bytes JMP 000007fefebf09f6
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe9e8df0 9 bytes JMP 000007fefebf09c3
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe9ec090 5 bytes JMP 000007fefebf07f8
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\WS2_32.dll!WSAIoctl 000007fefe9ed620 5 bytes JMP 000007fefebf0891
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\WS2_32.dll!sendto 000007fefe9ed7f0 7 bytes JMP 000007fefebf0a29
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\WS2_32.dll!socket 000007fefe9ede90 5 bytes JMP 000007fefebf0a5c
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefea0e0f0 7 bytes JMP 000007fefebf085e
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\SSPICLI.DLL!GetUserNameExW 000007fefd591118 7 bytes JMP 000007fefebf0c27
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\SSPICLI.DLL!GetUserNameExA 000007fefd591640 7 bytes JMP 000007fefebf0bf4
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\SSPICLI.DLL!LsaCallAuthenticationPackage 000007fefd5955b8 5 bytes JMP 000007fefebf0c5a
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\SSPICLI.DLL!EnumerateSecurityPackagesW 000007fefd597358 5 bytes JMP 000007fefebf0bc1
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\SSPICLI.DLL!EnumerateSecurityPackagesA 000007fefd5a57c0 5 bytes JMP 000007fefebf0b8e
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\IPHLPAPI.DLL!GetAdaptersAddresses 000007fefa2b2aa4 5 bytes JMP 000007fefebf0e58
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\IPHLPAPI.DLL!GetAdaptersInfo 000007fefa2b792c 5 bytes JMP 000007fefebf0e8b
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\IPHLPAPI.DLL!ResolveIpNetEntry2 000007fefa2b8d44 7 bytes JMP 000007fefebf0f24
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\IPHLPAPI.DLL!GetIpNetTable 000007fefa2be51c 7 bytes JMP 000007fefebf0ebe
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\IPHLPAPI.DLL!SendARP 000007fefa2bf354 5 bytes JMP 000007fefebf0f57
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\IPHLPAPI.DLL!GetIpNetTable2 000007fefa2c8520 6 bytes JMP 000007fefebf0ef1
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\CRYPT32.dll!CertAddEncodedCertificateToStore 000007fefd828f08 7 bytes JMP 000007fefebf1056
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\CRYPT32.dll!CertAddCRLContextToStore 000007fefd84cd00 5 bytes JMP 000007fefebf1023
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\CRYPT32.dll!CertCreateSelfSignCertificate 000007fefd8764fc 5 bytes JMP 000007fefebf1089
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\winspool.drv!AddMonitorA 000007fef1b579d4 7 bytes JMP 000007fefebf10ef
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\winspool.drv!DeleteMonitorA 000007fef1b57a98 5 bytes JMP 000007fefebf1155
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\winspool.drv!AddMonitorW 000007fef1b6582c 5 bytes JMP 000007fefebf1122
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\winspool.drv!DeleteMonitorW 000007fef1b65904 5 bytes JMP 000007fefebf1188
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryW 000007fefdba1c00 10 bytes JMP 000007fefebf12ba
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryW 000007fefdbae610 5 bytes JMP 000007fefebf1254
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryA 000007fefdbae9d0 7 bytes JMP 000007fefebf1221
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryA 000007fefdbafc50 7 bytes JMP 000007fefebf1287
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\CRYPTSP.dll!CryptAcquireContextW 000007fefccc3b98 7 bytes JMP 000007fefebf14eb
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\CRYPTSP.dll!CryptAcquireContextA 000007fefccc3ca8 5 bytes JMP 000007fefebf14b8
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\CRYPTSP.dll!CryptExportKey 000007fefccc55ac 7 bytes JMP 000007fefebf1551
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\CRYPTSP.dll!CryptImportKey 000007fefccc56fc 7 bytes JMP 000007fefebf15ea
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\CRYPTSP.dll!CryptCreateHash 000007fefccc5be4 7 bytes JMP 000007fefebf151e
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\CRYPTSP.dll!CryptHashData 000007fefccc5f80 7 bytes JMP 000007fefebf15b7
.text C:\Windows\System32\spoolsv.exe[3048] C:\Windows\System32\CRYPTSP.dll!CryptGetHashParam 000007fefccc698c 7 bytes JMP 000007fefebf1584
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30c27
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30f57
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30fbd
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30bf4
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30c8d
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30dbf
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30cf3
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!K32EnumProcessModules 00000000778b4410 12 bytes JMP 0000000077c30a8f
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30df2
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c31089
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 0000000077c30ac2
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30ebe
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 0000000077c30a5c
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!K32GetModuleBaseNameW 00000000778d97a0 5 bytes JMP 0000000077c309f6
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778d9870 5 bytes JMP 0000000077c30a29
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!GetApplicationRestartSettings + 1 00000000778df641 4 bytes {JMP 0x3514b5}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!GetApplicationRecoveryCallback 00000000778df650 7 bytes JMP 0000000077c309c3
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c310ef
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\RPCRT4.dll!RpcBindingSetObject 000007fefe13e4b0 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe756d10 11 bytes JMP 000007fefec2075f
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe7624f8 5 bytes JMP 000007fefec20792
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ole32.dll!CoGetObject 000007fefe893900 5 bytes JMP 000007fefec207c5
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 5 bytes JMP 000007fefec206c6
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 6 bytes JMP 000007fefec20660
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 5 bytes JMP 000007fefec2062d
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 5 bytes JMP 000007fefec20693
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 9 bytes JMP 000007fefec2072c
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 9 bytes JMP 000007fefec206f9
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007fefec20363
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 9 bytes JMP 000007fefec20330
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 8 bytes JMP 000007fefec20231
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007fefec203fc
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 7 bytes JMP 000007fefec200cc
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeafe514 5 bytes JMP 000007fefec205c7
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 8 bytes JMP 000007fefec20264
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007fefec203c9
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 9 bytes JMP 000007fefec20297
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007fefec20396
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefeb09d6c 5 bytes JMP 000007fefec20594
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb0a830 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 7 bytes JMP 000007fefec20198
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefeb14a50 5 bytes JMP 000007fefec20000
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 11 bytes JMP 000007fefec202fd
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 9 bytes JMP 000007fefec202ca
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 7 bytes JMP 000007fefec20165
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 000007fefeb2a5e9 4 bytes {JMP 0xf5a7e}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 000007fefeb2a5f5 4 bytes {JMP 0xf5a3f}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb2a600 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 14 000007fefeb2a60e 1 byte INT3
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb2a66c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 14 000007fefeb2a67a 1 byte INT3
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007fefec20561
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007fefec2052e
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 7 bytes JMP 000007fefec20099
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007fefec20462
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007fefec205fa
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007fefec2042f
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007fefec20495
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007fefec204c8
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007fefec204fb
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 7 bytes JMP 000007fefec201fe
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 7 bytes JMP 000007fefec201cb
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 7 bytes JMP 000007fefec20132
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 7 bytes JMP 000007fefec200ff
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\SspiCli.dll!GetUserNameExW 000007fefd591118 7 bytes JMP 000007fefec208c4
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\SspiCli.dll!GetUserNameExA 000007fefd591640 7 bytes JMP 000007fefec20891
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\SspiCli.dll!LsaCallAuthenticationPackage 000007fefd5955b8 5 bytes JMP 000007fefec208f7
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\SspiCli.dll!EnumerateSecurityPackagesW 000007fefd597358 5 bytes JMP 000007fefec2085e
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\SspiCli.dll!EnumerateSecurityPackagesA 000007fefd5a57c0 5 bytes JMP 000007fefec2082b
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryW 000007fefdba1c00 10 bytes JMP 000007fefec20bc1
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryW 000007fefdbae610 5 bytes JMP 000007fefec20b5b
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryA 000007fefdbae9d0 7 bytes JMP 000007fefec20b28
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryA 000007fefdbafc50 7 bytes JMP 000007fefec20b8e
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe9e13b0 5 bytes JMP 000007fefec20cf3
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe9e18e0 5 bytes JMP 000007fefec20d8c
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\WS2_32.dll!WSASocketW 000007fefe9e1bd0 5 bytes JMP 000007fefec20d59
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\WS2_32.dll!WSASocketA 000007fefe9e2010 11 bytes JMP 000007fefec20d26
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe9e23c0 5 bytes JMP 000007fefec20c5a
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\WS2_32.dll!connect 000007fefe9e45c0 5 bytes JMP 000007fefec20dbf
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\WS2_32.dll!send 000007fefe9e8000 5 bytes JMP 000007fefec20e25
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe9e8df0 9 bytes JMP 000007fefec20df2
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe9ec090 5 bytes JMP 000007fefec20c27
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\WS2_32.dll!WSAIoctl 000007fefe9ed620 5 bytes JMP 000007fefec20cc0
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\WS2_32.dll!sendto 000007fefe9ed7f0 7 bytes JMP 000007fefec20e58
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\WS2_32.dll!socket 000007fefe9ede90 5 bytes JMP 000007fefec20e8b
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefea0e0f0 7 bytes JMP 000007fefec20c8d
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\IPHLPAPI.DLL!GetAdaptersAddresses 000007fefa2b2aa4 5 bytes JMP 000007fefec20ef1
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\IPHLPAPI.DLL!GetAdaptersInfo 000007fefa2b792c 5 bytes JMP 000007fefec20f24
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\IPHLPAPI.DLL!ResolveIpNetEntry2 000007fefa2b8d44 7 bytes JMP 000007fefec20fbd
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\IPHLPAPI.DLL!GetIpNetTable 000007fefa2be51c 7 bytes JMP 000007fefec20f57
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\IPHLPAPI.DLL!SendARP 000007fefa2bf354 5 bytes JMP 000007fefec20ff0
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\IPHLPAPI.DLL!GetIpNetTable2 000007fefa2c8520 6 bytes JMP 000007fefec20f8a
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextW 000007fefccc3b98 7 bytes JMP 000007fefec211bb
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextA 000007fefccc3ca8 5 bytes JMP 000007fefec21188
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\CRYPTSP.dll!CryptExportKey 000007fefccc55ac 7 bytes JMP 000007fefec21221
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\CRYPTSP.dll!CryptImportKey 000007fefccc56fc 7 bytes JMP 000007fefec212ba
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\CRYPTSP.dll!CryptCreateHash 000007fefccc5be4 7 bytes JMP 000007fefec211ee
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\CRYPTSP.dll!CryptHashData 000007fefccc5f80 7 bytes JMP 000007fefec21287
.text C:\Windows\system32\svchost.exe[2316] C:\Windows\system32\CRYPTSP.dll!CryptGetHashParam 000007fefccc698c 7 bytes JMP 000007fefec21254
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077c7f938 5 bytes JMP 000000007ef808e6
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread 0000000077c7f9bc 5 bytes JMP 000000007ef80682
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c7f9f0 5 bytes JMP 000000007ef801dc
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077c7fae8 5 bytes JMP 000000007ef80880
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077c7fc30 5 bytes JMP 000000007ef80374
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077c7fc60 5 bytes JMP 000000007ef80462
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077c7fc90 5 bytes JMP 000000007ef8074e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fcc0 5 bytes JMP 000000007ef80000
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fe24 5 bytes JMP 000000007ef802ec
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077c7fe54 5 bytes JMP 000000007ef803b8
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c7fed0 5 bytes JMP 000000007ef80044
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077c7ff34 5 bytes JMP 000000007ef803fc
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c7ffb4 5 bytes JMP 000000007ef80908
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077c7fffc 5 bytes JMP 000000007ef80220
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c80014 5 bytes JMP 000000007ef802a8
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80078 5 bytes JMP 000000007ef80770
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c803c8 5 bytes JMP 000000007ef806a4
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c803e0 5 bytes JMP 000000007ef806c6
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c80560 5 bytes JMP 000000007ef806e8
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCommitTransaction 0000000077c80628 5 bytes JMP 000000007ef8094c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c807ac 5 bytes JMP 000000007ef80990
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077c80824 5 bytes JMP 000000007ef801fe
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8089c 5 bytes JMP 000000007ef809d4
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c808b4 5 bytes JMP 000000007ef802ca
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateTransaction 0000000077c808fc 5 bytes JMP 000000007ef808a2
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077c8092c 5 bytes JMP 000000007ef80242
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80e04 5 bytes JMP 000000007ef809b2
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077c81598 5 bytes JMP 000000007ef8072c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077c81614 5 bytes JMP 000000007ef80132
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtRollbackTransaction 0000000077c81854 5 bytes JMP 000000007ef8092a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81930 5 bytes JMP 000000007ef8041e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationTransaction 0000000077c81ab0 5 bytes JMP 000000007ef8096e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077c81bdc 5 bytes JMP 000000007ef8070a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtWow64WriteVirtualMemory64 0000000077c8212c 5 bytes JMP 000000007ef8030e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!RtlImageNtHeaderEx 0000000077c8f535 7 bytes JMP 000000007ef80022
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077d0869b 5 bytes JMP 000000007ef80154
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 000000007ef805b6
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 000000007ef80594
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 0000000075b748f3 5 bytes JMP 000000007ef8061c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000075b7499f 5 bytes JMP 000000007ef805fa
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!GetNativeSystemInfo 0000000075b810a5 5 bytes JMP 000000007ef80792
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b83be3 5 bytes JMP 000000007ef80352
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075b89ae4 5 bytes JMP 000000007ef80550
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075b89b45 5 bytes JMP 000000007ef8050c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalA 0000000075b8a4cf 5 bytes JMP 000000007ef80330
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!GetVolumeInformationA 0000000075b96de3 7 bytes JMP 000000007ef8083c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075b9736f 7 bytes JMP 000000007ef80440
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000075b98922 5 bytes JMP 000000007ef801ba
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000075b9ccf1 5 bytes JMP 000000007ef804ea
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075b9cd11 5 bytes JMP 000000007ef8052e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!DefineDosDeviceA 0000000075beade4 5 bytes JMP 000000007ef804a6
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!CreateFileTransactedW 0000000075bee3c5 7 bytes JMP 000000007ef808c4
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!CreateNamedPipeA 0000000075bf1ddf 5 bytes JMP 000000007ef809f6
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075bf31f9 5 bytes JMP 000000007ef80a3a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!PeekConsoleInputA 0000000075c1769d 5 bytes JMP 000000007ef800ee
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!PeekConsoleInputW 0000000075c176c0 5 bytes JMP 000000007ef80110
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000075c176e3 5 bytes JMP 000000007ef800aa
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000075c17706 5 bytes JMP 000000007ef800cc
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075c17ab1 5 bytes JMP 000000007ef80066
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075c17b2a 5 bytes JMP 000000007ef80088
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!GenerateConsoleCtrlEvent 0000000075c181df 5 bytes JMP 000000007ef80660
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\kernel32.dll!K32EnumDeviceDrivers 0000000075c189ea 7 bytes JMP 000000007ef8081a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!CreateNamedPipeW 0000000076327e9d 5 bytes JMP 000000007ef80a18
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007632c558 5 bytes JMP 000000007ef80484
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!GetLogicalProcessorInformation 000000007632f146 5 bytes JMP 000000007ef807d6
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!GetLogicalProcessorInformationEx 000000007632f1a0 5 bytes JMP 000000007ef807f8
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!TerminateProcess 000000007632f341 5 bytes JMP 000000007ef8063e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!GetSystemInfo 000000007632f472 5 bytes JMP 000000007ef807b4
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007632fcda 5 bytes JMP 000000007ef804c8
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!SetEnvironmentVariableA 00000000763306bc 5 bytes JMP 000000007ef80176
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!SetEnvironmentVariableW 00000000763307ff 5 bytes JMP 000000007ef80198
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076331f38 5 bytes JMP 000000007ef805d8
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 000000007633396a 5 bytes JMP 000000007ef80396
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!QueueUserAPC 0000000076333e5b 5 bytes JMP 000000007ef803da
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000076333fdf 5 bytes JMP 000000007ef80286
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076334798 5 bytes JMP 000000007ef80264
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!GetVolumeInformationW 00000000763370b5 5 bytes JMP 000000007ef8085e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000076339dcf 5 bytes JMP 000000007ef80572
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!CreateFileW 000000007633c40d 5 bytes JMP 000000007ef80a7e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007633c8a8 5 bytes JMP 000000007ef80a5c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!GetDC 0000000076af72cc 5 bytes JMP 000000007ef812fe
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076af78f2 5 bytes JMP 000000007ef813ca
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076af7be3 5 bytes JMP 000000007ef813a8
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!SetPropW 0000000076af7fde 5 bytes JMP 000000007ef81584
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!GetWindowDC 0000000076af8058 5 bytes JMP 000000007ef8140e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076af8342 5 bytes JMP 000000007ef815ea
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076af8a39 5 bytes JMP 000000007ef811ee
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000076af8e5e 5 bytes JMP 000000007ef8160c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076af90e3 7 bytes JMP 000000007ef816b6
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076af9689 5 bytes JMP 000000007ef814fc
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076af990d 5 bytes JMP 000000007ef812ba
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!EnumWindows 0000000076afd1ef 5 bytes JMP 000000007ef81232
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076afd24e 5 bytes JMP 000000007ef811cc
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076afee31 5 bytes JMP 000000007ef815a6
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076b0000e 5 bytes JMP 000000007ef81254
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076b00101 5 bytes JMP 000000007ef81276
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076b005e2 5 bytes JMP 000000007ef81452
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!GetDesktopWindow 0000000076b00a41 9 bytes JMP 000000007ef81342
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076b00e23 5 bytes JMP 000000007ef81672
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b012cd 5 bytes JMP 000000007ef81496
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b027a7 5 bytes JMP 000000007ef81364
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076b0393d 5 bytes JMP 000000007ef816d8
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076b0399a 5 bytes JMP 000000007ef81298
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!GetDCEx 0000000076b03bf9 5 bytes JMP 000000007ef81320
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b0471b 5 bytes JMP 000000007ef812dc
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b047ed 5 bytes JMP 000000007ef81386
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b04bc4 5 bytes JMP 000000007ef81474
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!EnumDesktopWindows 0000000076b0702b 5 bytes JMP 000000007ef81210
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076b0704c 5 bytes JMP 000000007ef81430
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b071e8 5 bytes JMP 000000007ef815c8
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b07206 5 bytes JMP 000000007ef814da
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076b0735d 5 bytes JMP 000000007ef811aa
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b07d61 7 bytes JMP 000000007ef81694
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b081fd 5 bytes JMP 000000007ef81650
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b08262 5 bytes JMP 000000007ef81540
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!SetPropA 0000000076b08e24 5 bytes JMP 000000007ef81562
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b08f54 5 bytes JMP 000000007ef8162e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b56e35 5 bytes JMP 000000007ef8151e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!GetRawInputData 0000000076b58447 5 bytes JMP 000000007ef813ec
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b589c3 5 bytes JMP 000000007ef814b8
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\GDI32.dll!CreateCompatibleDC 00000000765554f4 5 bytes JMP 000000007ef80c16
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\GDI32.dll!CreateBitmap 0000000076555d52 5 bytes JMP 000000007ef80bd2
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076555ea5 5 bytes JMP 000000007ef80bb0
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\GDI32.dll!CreateCompatibleBitmap 0000000076555f48 5 bytes JMP 000000007ef80bf4
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076557ba4 5 bytes JMP 000000007ef80c38
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007655ea03 5 bytes JMP 000000007ef80c5a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076438e69 5 bytes JMP 000000007ef81012
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076439159 5 bytes JMP 000000007ef80f46
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076439166 5 bytes JMP 000000007ef80ff0
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007643c4b2 5 bytes JMP 000000007ef81078
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserW 000000007643c512 5 bytes JMP 000000007ef80e58
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007643de94 5 bytes JMP 000000007ef80f68
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007643deb6 5 bytes JMP 000000007ef81056
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007643dece 5 bytes JMP 000000007ef80f8a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007643defe 5 bytes JMP 000000007ef81034
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000764570a4 5 bytes JMP 000000007ef80ee0
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 000000007645771b 5 bytes JMP 000000007ef80fce
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764727ea 5 bytes JMP 000000007ef80e36
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!EncryptFileW 0000000076472aa8 5 bytes JMP 000000007ef8109a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!SetUserFileEncryptionKey 0000000076473213 5 bytes JMP 000000007ef81188
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!FlushEfsCache 000000007647324d 5 bytes JMP 000000007ef810bc
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076473414 5 bytes JMP 000000007ef80ebe
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CryptDeriveKey 0000000076473444 5 bytes JMP 000000007ef80fac
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000764755e1 5 bytes JMP 000000007ef80e7a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithTokenW 0000000076475617 5 bytes JMP 000000007ef80e9c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CredEnumerateA 0000000076477671 7 bytes JMP 000000007ef80f02
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CredEnumerateW 0000000076477771 7 bytes JMP 000000007ef80f24
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!LsaQueryTrustedDomainInfo 0000000076478c39 7 bytes JMP 000000007ef81144
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000000007647923d 7 bytes JMP 000000007ef81166
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!InitiateSystemShutdownW 000000007648defd 5 bytes JMP 000000007ef81122
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!InitiateSystemShutdownExW 000000007648dfca 5 bytes JMP 000000007ef81100
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!InitiateShutdownW 000000007648e2a4 5 bytes JMP 000000007ef810de
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075d94dc9 7 bytes JMP 000000007ef80d48
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\sechost.dll!StartServiceW 0000000075d94f3b 7 bytes JMP 000000007ef80e14
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\sechost.dll!StartServiceA 0000000075d95093 7 bytes JMP 000000007ef80df2
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075d95682 7 bytes JMP 000000007ef80d6a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075d958a5 7 bytes JMP 000000007ef80d8c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 0000000075d97151 7 bytes JMP 000000007ef80dd0
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075d9724b 7 bytes JMP 000000007ef80dae
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\RPCRT4.dll!RpcBindingSetObject 00000000766cb413 3 bytes JMP 000000007ef80d26
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\RPCRT4.dll!RpcBindingSetObject + 4 00000000766cb417 1 byte [08]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\SspiCli.dll!LsaCallAuthenticationPackage 00000000755c2aab 5 bytes JMP 000000007ef80d04
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\SspiCli.dll!GetUserNameExW 00000000755ca40f 5 bytes JMP 000000007ef80ce2
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\SspiCli.dll!GetUserNameExA 00000000755ca4e1 5 bytes JMP 000000007ef80cc0
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\SspiCli.dll!EnumerateSecurityPackagesW 00000000755d0c71 5 bytes JMP 000000007ef80c9e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\SspiCli.dll!EnumerateSecurityPackagesA 00000000755d0cec 5 bytes JMP 000000007ef80c7c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\SHELL32.dll!ShellExecuteW 0000000076bf3c29 5 bytes JMP 000000007ef81760
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000076c00191 5 bytes JMP 000000007ef81782
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\SHELL32.dll!ShellExecuteExW 0000000076c01e65 5 bytes JMP 000000007ef8173e
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\SHELL32.dll!ShellExecuteEx 0000000076e288fd 5 bytes JMP 000000007ef8171c
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\SHELL32.dll!ShellExecuteA 0000000076e28998 5 bytes JMP 000000007ef816fa
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007599546d 5 bytes JMP 000000007ef817c6
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759a9cbb 5 bytes JMP 000000007ef817a4
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2792] C:\Windows\syswow64\ole32.dll!CoGetObject 00000000759bb624 5 bytes JMP 000000007ef817e8
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30c27
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30f57
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30fbd
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30bf4
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30c8d
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30dbf
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30cf3
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!K32EnumProcessModules 00000000778b4410 12 bytes JMP 0000000077c30a8f
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30df2
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c31089
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 0000000077c30ac2
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30ebe
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 0000000077c30a5c
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!K32GetModuleBaseNameW 00000000778d97a0 5 bytes JMP 0000000077c309f6
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778d9870 5 bytes JMP 0000000077c30a29
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!GetApplicationRestartSettings + 1 00000000778df641 4 bytes {JMP 0x3514b5}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!GetApplicationRecoveryCallback 00000000778df650 7 bytes JMP 0000000077c309c3
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c310ef
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 11 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\GDI32.dll!CreateBitmap + 12 000007fefedb1f3c 2 bytes [00, 00]
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007feffd90363
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 9 bytes JMP 000007feffd90330
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 8 bytes JMP 000007feffd90231
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007feffd903fc
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 7 bytes JMP 000007feffd900cc
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeafe514 5 bytes JMP 000007feffd905c7
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 8 bytes JMP 000007feffd90264
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007feffd903c9
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 9 bytes JMP 000007feffd90297
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007feffd90396
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefeb09d6c 5 bytes JMP 000007feffd90594
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb0a830 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 7 bytes JMP 000007feffd90198
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefeb14a50 5 bytes JMP 000007feffd90000
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 11 bytes JMP 000007feffd902fd
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 9 bytes JMP 000007feffd902ca
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 7 bytes JMP 000007feffd90165
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 000007fefeb2a5e9 4 bytes {JMP 0x1265a7e}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 000007fefeb2a5f5 4 bytes {JMP 0x1265a3f}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb2a600 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 14 000007fefeb2a60e 1 byte INT3
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb2a66c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 14 000007fefeb2a67a 1 byte INT3
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007feffd90561
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007feffd9052e
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 7 bytes JMP 000007feffd90099
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007feffd90462
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007feffd905fa
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007feffd9042f
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007feffd90495
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007feffd904c8
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007feffd904fb
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 7 bytes JMP 000007feffd901fe
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 7 bytes JMP 000007feffd901cb
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 7 bytes JMP 000007feffd90132
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 7 bytes JMP 000007feffd900ff
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\CRYPT32.dll!CertAddEncodedCertificateToStore 000007fefd828f08 7 bytes JMP 000007feffd90693
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\CRYPT32.dll!CertAddCRLContextToStore 000007fefd84cd00 5 bytes JMP 000007feffd90660
.text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2068] C:\Windows\system32\CRYPT32.dll!CertCreateSelfSignCertificate 000007fefd8764fc 5 bytes JMP 000007feffd906c6
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077c7f938 5 bytes JMP 000000007ef809f6
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread 0000000077c7f9bc 5 bytes JMP 000000007ef80792
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c7f9f0 5 bytes JMP 000000007ef801dc
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077c7fae8 5 bytes JMP 000000007ef80990
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077c7fc30 5 bytes JMP 000000007ef80374
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077c7fc60 5 bytes JMP 000000007ef80462
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077c7fc90 5 bytes JMP 000000007ef8085e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fcc0 5 bytes JMP 000000007ef80000
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fe24 5 bytes JMP 000000007ef802ec
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077c7fe54 5 bytes JMP 000000007ef803b8
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtReadVirtualMemory 0000000077c7fea0 5 bytes JMP 000000007ef80682
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c7fed0 5 bytes JMP 000000007ef80044
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077c7ff34 5 bytes JMP 000000007ef803fc
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c7ffb4 5 bytes JMP 000000007ef80a18
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077c7fffc 5 bytes JMP 000000007ef80220
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c80014 5 bytes JMP 000000007ef802a8
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80078 5 bytes JMP 000000007ef80880
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c803c8 5 bytes JMP 000000007ef807b4
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c803e0 5 bytes JMP 000000007ef807d6
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c80560 5 bytes JMP 000000007ef807f8
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCommitTransaction 0000000077c80628 5 bytes JMP 000000007ef80a5c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c807ac 5 bytes JMP 000000007ef80aa0
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077c80824 5 bytes JMP 000000007ef801fe
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8089c 5 bytes JMP 000000007ef80ae4
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c808b4 5 bytes JMP 000000007ef802ca
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateTransaction 0000000077c808fc 2 bytes JMP 000000007ef809b2
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateTransaction + 3 0000000077c808ff 2 bytes [30, 07]
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077c8092c 5 bytes JMP 000000007ef80242
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80e04 5 bytes JMP 000000007ef80ac2
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077c81598 5 bytes JMP 000000007ef8083c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077c81614 5 bytes JMP 000000007ef80132
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtRollbackTransaction 0000000077c81854 5 bytes JMP 000000007ef80a3a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81930 5 bytes JMP 000000007ef8041e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationTransaction 0000000077c81ab0 5 bytes JMP 000000007ef80a7e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077c81bdc 5 bytes JMP 000000007ef8081a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtWow64WriteVirtualMemory64 0000000077c8212c 5 bytes JMP 000000007ef8030e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!RtlImageNtHeaderEx 0000000077c8f535 7 bytes JMP 000000007ef80022
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077d0869b 5 bytes JMP 000000007ef80154
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 000000007ef805b6
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 000000007ef80594
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 0000000075b748f3 5 bytes JMP 000000007ef8061c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000075b7499f 5 bytes JMP 000000007ef805fa
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!GetNativeSystemInfo 0000000075b810a5 5 bytes JMP 000000007ef808a2
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b83be3 5 bytes JMP 000000007ef80352
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075b89ae4 5 bytes JMP 000000007ef80550
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075b89b45 5 bytes JMP 000000007ef8050c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalA 0000000075b8a4cf 5 bytes JMP 000000007ef80330
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!K32GetModuleBaseNameW 0000000075b8fce8 5 bytes JMP 000000007ef806c6
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!GetVolumeInformationA 0000000075b96de3 7 bytes JMP 000000007ef8094c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075b9736f 7 bytes JMP 000000007ef80440
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!GetApplicationRecoveryCallback 0000000075b97e45 5 bytes JMP 000000007ef806a4
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000075b98922 5 bytes JMP 000000007ef801ba
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075b9b263 5 bytes JMP 000000007ef806e8
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModules 0000000075b9b38e 5 bytes JMP 000000007ef8072c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000075b9ccf1 5 bytes JMP 000000007ef804ea
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075b9cd11 5 bytes JMP 000000007ef8052e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!DefineDosDeviceA 0000000075beade4 5 bytes JMP 000000007ef804a6
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateFileTransactedW 0000000075bee3c5 7 bytes JMP 000000007ef809d4
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateNamedPipeA 0000000075bf1ddf 5 bytes JMP 000000007ef80b06
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075bf31f9 5 bytes JMP 000000007ef80b4a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!GetApplicationRestartSettings 0000000075bfe766 5 bytes JMP 000000007ef80770
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!PeekConsoleInputA 0000000075c1769d 5 bytes JMP 000000007ef800ee
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!PeekConsoleInputW 0000000075c176c0 5 bytes JMP 000000007ef80110
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000075c176e3 5 bytes JMP 000000007ef800aa
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000075c17706 5 bytes JMP 000000007ef800cc
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075c17ab1 5 bytes JMP 000000007ef80066
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075c17b2a 5 bytes JMP 000000007ef80088
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!GenerateConsoleCtrlEvent 0000000075c181df 5 bytes JMP 000000007ef80660
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!K32EnumDeviceDrivers 0000000075c189ea 7 bytes JMP 000000007ef8092a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075c1906c 7 bytes JMP 000000007ef8074e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075c190f1 5 bytes JMP 000000007ef8070a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CreateNamedPipeW 0000000076327e9d 5 bytes JMP 000000007ef80b28
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007632c558 5 bytes JMP 000000007ef80484
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetLogicalProcessorInformation 000000007632f146 5 bytes JMP 000000007ef808e6
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetLogicalProcessorInformationEx 000000007632f1a0 5 bytes JMP 000000007ef80908
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!TerminateProcess 000000007632f341 5 bytes JMP 000000007ef8063e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetSystemInfo 000000007632f472 5 bytes JMP 000000007ef808c4
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007632fcda 5 bytes JMP 000000007ef804c8
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!SetEnvironmentVariableA 00000000763306bc 5 bytes JMP 000000007ef80176
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!SetEnvironmentVariableW 00000000763307ff 5 bytes JMP 000000007ef80198
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076331f38 5 bytes JMP 000000007ef805d8
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 000000007633396a 5 bytes JMP 000000007ef80396
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!QueueUserAPC 0000000076333e5b 5 bytes JMP 000000007ef803da
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000076333fdf 5 bytes JMP 000000007ef80286
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076334798 5 bytes JMP 000000007ef80264
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetVolumeInformationW 00000000763370b5 5 bytes JMP 000000007ef8096e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000076339dcf 5 bytes JMP 000000007ef80572
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CreateFileW 000000007633c40d 5 bytes JMP 000000007ef80b8e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007633c8a8 5 bytes JMP 000000007ef80b6c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\WS2_32.dll!WSAIoctl 0000000076372fe7 5 bytes JMP 000000007ef80f24
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\WS2_32.dll!sendto 00000000763734b5 5 bytes JMP 000000007ef81034
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076373918 5 bytes JMP 000000007ef80fac
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000076373cd3 7 bytes JMP 000000007ef80f8a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\WS2_32.dll!socket 0000000076373eb8 5 bytes JMP 000000007ef81056
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076374406 5 bytes JMP 000000007ef80f46
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076374889 5 bytes JMP 000000007ef80ee0
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\WS2_32.dll!connect 0000000076376bdd 5 bytes JMP 000000007ef80fce
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\WS2_32.dll!send 0000000076376f01 5 bytes JMP 000000007ef81012
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\WS2_32.dll!WSASocketA 000000007637c82a 5 bytes JMP 000000007ef80f68
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007637cc3f 5 bytes JMP 000000007ef80f02
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007637d1ea 5 bytes JMP 000000007ef80ebe
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000076387673 5 bytes JMP 000000007ef80ff0
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\RPCRT4.dll!RpcBindingSetObject 00000000766cb413 3 bytes JMP 000000007ef80e9c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\RPCRT4.dll!RpcBindingSetObject + 4 00000000766cb417 1 byte [08]
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\SspiCli.dll!LsaCallAuthenticationPackage 00000000755c2aab 5 bytes JMP 000000007ef80e7a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\SspiCli.dll!GetUserNameExW 00000000755ca40f 5 bytes JMP 000000007ef80e58
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\SspiCli.dll!GetUserNameExA 00000000755ca4e1 5 bytes JMP 000000007ef80e36
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\SspiCli.dll!EnumerateSecurityPackagesW 00000000755d0c71 5 bytes JMP 000000007ef80e14
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\SspiCli.dll!EnumerateSecurityPackagesA 00000000755d0cec 5 bytes JMP 000000007ef80df2
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075d94dc9 7 bytes JMP 000000007ef80d04
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\sechost.dll!StartServiceW 0000000075d94f3b 7 bytes JMP 000000007ef80dd0
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\sechost.dll!StartServiceA 0000000075d95093 7 bytes JMP 000000007ef80dae
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075d95682 7 bytes JMP 000000007ef80d26
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075d958a5 7 bytes JMP 000000007ef80d48
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 0000000075d97151 7 bytes JMP 000000007ef80d8c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075d9724b 7 bytes JMP 000000007ef80d6a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076438e69 5 bytes JMP 000000007ef8160c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076439159 5 bytes JMP 000000007ef81540
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076439166 5 bytes JMP 000000007ef815ea
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007643c4b2 5 bytes JMP 000000007ef81672
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserW 000000007643c512 5 bytes JMP 000000007ef81452
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007643c9cc 5 bytes JMP 000000007ef817a4
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007643de94 5 bytes JMP 000000007ef81562
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007643deb6 5 bytes JMP 000000007ef81650
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007643dece 5 bytes JMP 000000007ef81584
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007643defe 5 bytes JMP 000000007ef8162e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076442b38 5 bytes JMP 000000007ef81782
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000764435e4 5 bytes JMP 000000007ef813a8
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000764570a4 5 bytes JMP 000000007ef814da
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000764570bc 5 bytes JMP 000000007ef813ca
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 000000007645771b 5 bytes JMP 000000007ef815c8
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764727ea 5 bytes JMP 000000007ef81430
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!EncryptFileW 0000000076472aa8 5 bytes JMP 000000007ef81694
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!SetUserFileEncryptionKey 0000000076473213 5 bytes JMP 000000007ef817c6
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!FlushEfsCache 000000007647324d 5 bytes JMP 000000007ef816b6
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000764733a4 5 bytes JMP 000000007ef81364
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000764733b4 5 bytes JMP 000000007ef81386
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000764733c4 5 bytes JMP 000000007ef813ec
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000764733d4 5 bytes JMP 000000007ef8140e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076473414 5 bytes JMP 000000007ef814b8
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptDeriveKey 0000000076473444 5 bytes JMP 000000007ef815a6
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000764755e1 5 bytes JMP 000000007ef81474
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithTokenW 0000000076475617 5 bytes JMP 000000007ef81496
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CredEnumerateA 0000000076477671 7 bytes JMP 000000007ef814fc
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CredEnumerateW 0000000076477771 7 bytes JMP 000000007ef8151e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!LsaQueryTrustedDomainInfo 0000000076478c39 7 bytes JMP 000000007ef8173e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000000007647923d 7 bytes JMP 000000007ef81760
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!InitiateSystemShutdownW 000000007648defd 5 bytes JMP 000000007ef8171c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!InitiateSystemShutdownExW 000000007648dfca 5 bytes JMP 000000007ef816fa
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!InitiateShutdownW 000000007648e2a4 5 bytes JMP 000000007ef816d8
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\GDI32.dll!CreateCompatibleDC 00000000765554f4 5 bytes JMP 000000007ef81de2
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\GDI32.dll!CreateBitmap 0000000076555d52 5 bytes JMP 000000007ef81d9e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076555ea5 5 bytes JMP 000000007ef81d7c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\GDI32.dll!CreateCompatibleBitmap 0000000076555f48 5 bytes JMP 000000007ef81dc0
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076557ba4 5 bytes JMP 000000007ef81e04
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007655ea03 5 bytes JMP 000000007ef81e26
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!GetDC 0000000076af72cc 5 bytes JMP 000000007ef8195e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076af78f2 5 bytes JMP 000000007ef81a2a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076af7be3 5 bytes JMP 000000007ef81a08
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SetPropW 0000000076af7fde 5 bytes JMP 000000007ef81c06
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!GetWindowDC 0000000076af8058 5 bytes JMP 000000007ef81a6e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076af8342 5 bytes JMP 000000007ef81c6c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076af8a39 5 bytes JMP 000000007ef8182c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000076af8e5e 5 bytes JMP 000000007ef81c8e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076af90e3 7 bytes JMP 000000007ef81d38
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076af9689 5 bytes JMP 000000007ef81b5c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076af990d 5 bytes JMP 000000007ef818f8
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!EnumWindows 0000000076afd1ef 5 bytes JMP 000000007ef81870
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076afd24e 5 bytes JMP 000000007ef8180a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076afee31 5 bytes JMP 000000007ef81c28
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076b0000e 5 bytes JMP 000000007ef81892
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076b00101 5 bytes JMP 000000007ef818b4
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076b005e2 5 bytes JMP 000000007ef81ab2
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!GetDesktopWindow 0000000076b00a41 9 bytes JMP 000000007ef819a2
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076b00e23 5 bytes JMP 000000007ef81cf4
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b012cd 5 bytes JMP 000000007ef81af6
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b027a7 5 bytes JMP 000000007ef819c4
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076b0393d 5 bytes JMP 000000007ef81d5a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076b0399a 5 bytes JMP 000000007ef818d6
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!GetDCEx 0000000076b03bf9 5 bytes JMP 000000007ef81980
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b0471b 5 bytes JMP 000000007ef8191a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b047ed 5 bytes JMP 000000007ef819e6
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b04bc4 5 bytes JMP 000000007ef81ad4
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!EnumDesktopWindows 0000000076b0702b 5 bytes JMP 000000007ef8184e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076b0704c 5 bytes JMP 000000007ef81a90
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b071e8 5 bytes JMP 000000007ef81c4a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b07206 5 bytes JMP 000000007ef81b3a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076b0735d 5 bytes JMP 000000007ef817e8
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b07d61 7 bytes JMP 000000007ef81d16
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b081fd 5 bytes JMP 000000007ef81cd2
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b08262 5 bytes JMP 000000007ef81ba0
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SetPropA 0000000076b08e24 5 bytes JMP 000000007ef81be4
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b08f54 5 bytes JMP 000000007ef81cb0
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076b38e97 5 bytes JMP 000000007ef81bc2
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b39feb 5 bytes JMP 000000007ef8193c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b56e35 5 bytes JMP 000000007ef81b7e
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!GetRawInputData 0000000076b58447 5 bytes JMP 000000007ef81a4c
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b589c3 5 bytes JMP 000000007ef81b18
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007599546d 5 bytes JMP 000000007ef81e6a
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759a9cbb 5 bytes JMP 000000007ef81e48
.text C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe[3096] C:\Windows\syswow64\ole32.dll!CoGetObject 00000000759bb624 5 bytes JMP 000000007ef81e8c
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30c27
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30f57
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30fbd
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30bf4
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30c8d
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30dbf
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30cf3
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!K32EnumProcessModules 00000000778b4410 12 bytes JMP 0000000077c30a8f
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30df2
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c31089
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 0000000077c30ac2
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30ebe
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 0000000077c30a5c
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!K32GetModuleBaseNameW 00000000778d97a0 5 bytes JMP 0000000077c309f6
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778d9870 5 bytes JMP 0000000077c30a29
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!GetApplicationRestartSettings + 1 00000000778df641 4 bytes {JMP 0x3514b5}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!GetApplicationRecoveryCallback 00000000778df650 7 bytes JMP 0000000077c309c3
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c310ef
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe756d10 11 bytes JMP 000007fefec2075f
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe7624f8 5 bytes JMP 000007fefec20792
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ole32.dll!CoGetObject 000007fefe893900 5 bytes JMP 000007fefec207c5
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 5 bytes JMP 000007fefec206c6
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 6 bytes JMP 000007fefec20660
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 5 bytes JMP 000007fefec2062d
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 5 bytes JMP 000007fefec20693
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 9 bytes JMP 000007fefec2072c
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 9 bytes JMP 000007fefec206f9
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007fefec20363
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 9 bytes JMP 000007fefec20330
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 8 bytes JMP 000007fefec20231
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007fefec203fc
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 7 bytes JMP 000007fefec200cc
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeafe514 5 bytes JMP 000007fefec205c7
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 8 bytes JMP 000007fefec20264
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007fefec203c9
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 9 bytes JMP 000007fefec20297
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007fefec20396
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefeb09d6c 5 bytes JMP 000007fefec20594
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb0a830 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 7 bytes JMP 000007fefec20198
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefeb14a50 5 bytes JMP 000007fefec20000
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 11 bytes JMP 000007fefec202fd
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 9 bytes JMP 000007fefec202ca
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 7 bytes JMP 000007fefec20165
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 000007fefeb2a5e9 4 bytes {JMP 0xf5a7e}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 000007fefeb2a5f5 4 bytes {JMP 0xf5a3f}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb2a600 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 14 000007fefeb2a60e 1 byte INT3
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb2a66c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 14 000007fefeb2a67a 1 byte INT3
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007fefec20561
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007fefec2052e
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 7 bytes JMP 000007fefec20099
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007fefec20462
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007fefec205fa
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007fefec2042f
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007fefec20495
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007fefec204c8
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007fefec204fb
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 7 bytes JMP 000007fefec201fe
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 7 bytes JMP 000007fefec201cb
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 7 bytes JMP 000007fefec20132
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 7 bytes JMP 000007fefec200ff
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe9e13b0 5 bytes JMP 000007fefec20990
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe9e18e0 5 bytes JMP 000007fefec20a29
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\WS2_32.dll!WSASocketW 000007fefe9e1bd0 5 bytes JMP 000007fefec209f6
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\WS2_32.dll!WSASocketA 000007fefe9e2010 11 bytes JMP 000007fefec209c3
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe9e23c0 5 bytes JMP 000007fefec208f7
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\WS2_32.dll!connect 000007fefe9e45c0 5 bytes JMP 000007fefec20a5c
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\WS2_32.dll!send 000007fefe9e8000 5 bytes JMP 000007fefec20ac2
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe9e8df0 9 bytes JMP 000007fefec20a8f
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe9ec090 5 bytes JMP 000007fefec208c4
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\WS2_32.dll!WSAIoctl 000007fefe9ed620 5 bytes JMP 000007fefec2095d
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\WS2_32.dll!sendto 000007fefe9ed7f0 7 bytes JMP 000007fefec20af5
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\WS2_32.dll!socket 000007fefe9ede90 5 bytes JMP 000007fefec20b28
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefea0e0f0 7 bytes JMP 000007fefec2092a
.text C:\Windows\System32\svchost.exe[3140] c:\windows\system32\WINHTTP.dll!WinHttpOpen 000007fef0d93428 5 bytes JMP 000007fefec20b5b
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\CRYPT32.dll!CertAddEncodedCertificateToStore 000007fefd828f08 7 bytes JMP 000007fefec20bc1
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\CRYPT32.dll!CertAddCRLContextToStore 000007fefd84cd00 1 byte JMP 000007fefec20b8e
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\CRYPT32.dll!CertAddCRLContextToStore + 2 000007fefd84cd02 3 bytes {JMP 0x13d3e8e}
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\CRYPT32.dll!CertCreateSelfSignCertificate 000007fefd8764fc 5 bytes JMP 000007fefec20bf4
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryW 000007fefdba1c00 10 bytes JMP 000007fefec20cc0
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryW 000007fefdbae610 5 bytes JMP 000007fefec20c5a
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryA 000007fefdbae9d0 7 bytes JMP 000007fefec20c27
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryA 000007fefdbafc50 7 bytes JMP 000007fefec20c8d
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\System32\SspiCli.dll!GetUserNameExW 000007fefd591118 7 bytes JMP 000007fefec20dbf
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\System32\SspiCli.dll!GetUserNameExA 000007fefd591640 7 bytes JMP 000007fefec20d8c
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\System32\SspiCli.dll!LsaCallAuthenticationPackage 000007fefd5955b8 5 bytes JMP 000007fefec20df2
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\System32\SspiCli.dll!EnumerateSecurityPackagesW 000007fefd597358 5 bytes JMP 000007fefec20d59
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\System32\SspiCli.dll!EnumerateSecurityPackagesA 000007fefd5a57c0 5 bytes JMP 000007fefec20d26
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\System32\IPHLPAPI.DLL!GetAdaptersAddresses 000007fefa2b2aa4 5 bytes JMP 000007fefec21056
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\System32\IPHLPAPI.DLL!GetAdaptersInfo 000007fefa2b792c 5 bytes JMP 000007fefec21089
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\System32\IPHLPAPI.DLL!ResolveIpNetEntry2 000007fefa2b8d44 7 bytes JMP 000007fefec21122
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\System32\IPHLPAPI.DLL!GetIpNetTable 000007fefa2be51c 7 bytes JMP 000007fefec210bc
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\System32\IPHLPAPI.DLL!SendARP 000007fefa2bf354 5 bytes JMP 000007fefec21155
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\System32\IPHLPAPI.DLL!GetIpNetTable2 000007fefa2c8520 6 bytes JMP 000007fefec210ef
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8 000007fefcae5738 7 bytes JMP 000007fefec211ee
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\System32\DNSAPI.dll!DnsQuery_W 000007fefcaf01b0 7 bytes JMP 000007fefec21221
.text C:\Windows\System32\svchost.exe[3140] C:\Windows\System32\DNSAPI.dll!DnsQuery_A 000007fefcb0db10 7 bytes JMP 000007fefec211bb
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075b41401 2 bytes JMP 75b9b263 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075b41419 2 bytes JMP 75b9b38e C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075b41431 2 bytes JMP 75c190f1 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075b4144a 2 bytes CALL 75b748ad C:\Windows\syswow64\kernel32.dll
.text ... * 9
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075b414dd 2 bytes JMP 75c189ea C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075b414f5 2 bytes JMP 75c18bc0 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075b4150d 2 bytes JMP 75c188e0 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075b41525 2 bytes JMP 75c18caa C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075b4153d 2 bytes JMP 75b8fce8 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075b41555 2 bytes JMP 75b96937 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075b4156d 2 bytes JMP 75c191a9 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075b41585 2 bytes JMP 75c18d0a C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075b4159d 2 bytes JMP 75c188a4 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075b415b5 2 bytes JMP 75b8fd81 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075b415cd 2 bytes JMP 75b9b324 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075b416b2 2 bytes JMP 75c1906c C:\Windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[3276] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075b416bd 2 bytes JMP 75c18839 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\kernel32.dll!UnhandledExceptionFilter 0000000075b9773f 5 bytes JMP 00000000018c07d0
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075b41401 2 bytes JMP 75b9b263 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075b41419 2 bytes JMP 75b9b38e C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075b41431 2 bytes JMP 75c190f1 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075b4144a 2 bytes CALL 75b748ad C:\Windows\syswow64\kernel32.dll
.text ... * 9
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075b414dd 2 bytes JMP 75c189ea C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075b414f5 2 bytes JMP 75c18bc0 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075b4150d 2 bytes JMP 75c188e0 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075b41525 2 bytes JMP 75c18caa C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075b4153d 2 bytes JMP 75b8fce8 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075b41555 2 bytes JMP 75b96937 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075b4156d 2 bytes JMP 75c191a9 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075b41585 2 bytes JMP 75c18d0a C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075b4159d 2 bytes JMP 75c188a4 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075b415b5 2 bytes JMP 75b8fd81 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075b415cd 2 bytes JMP 75b9b324 C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075b416b2 2 bytes JMP 75c1906c C:\Windows\syswow64\kernel32.dll
.text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075b416bd 2 bytes JMP 75c18839 C:\Windows\syswow64\kernel32.dll
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30c27
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30f57
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30fbd
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30bf4
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30c8d
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30dbf
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30cf3
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!K32EnumProcessModules 00000000778b4410 12 bytes JMP 0000000077c30a8f
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30df2
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c31089
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 0000000077c30ac2
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30ebe
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 0000000077c30a5c
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!K32GetModuleBaseNameW 00000000778d97a0 5 bytes JMP 0000000077c309f6
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778d9870 5 bytes JMP 0000000077c30a29
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!GetApplicationRestartSettings + 1 00000000778df641 4 bytes {JMP 0x3514b5}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!GetApplicationRecoveryCallback 00000000778df650 7 bytes JMP 0000000077c309c3
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c310ef
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\RPCRT4.dll!RpcBindingSetObject 000007fefe13e4b0 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007fefebf0363
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 9 bytes JMP 000007fefebf0330
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 8 bytes JMP 000007fefebf0231
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007fefebf03fc
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 7 bytes JMP 000007fefebf00cc
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeafe514 5 bytes JMP 000007fefebf05c7
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 8 bytes JMP 000007fefebf0264
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007fefebf03c9
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 9 bytes JMP 000007fefebf0297
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007fefebf0396
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefeb09d6c 5 bytes JMP 000007fefebf0594
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb0a830 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 7 bytes JMP 000007fefebf0198
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefeb14a50 5 bytes JMP 000007fefebf0000
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 11 bytes JMP 000007fefebf02fd
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 9 bytes JMP 000007fefebf02ca
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 7 bytes JMP 000007fefebf0165
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 000007fefeb2a5e9 4 bytes {JMP 0xc5a7e}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 000007fefeb2a5f5 4 bytes {JMP 0xc5a3f}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb2a600 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 14 000007fefeb2a60e 1 byte INT3
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb2a66c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 14 000007fefeb2a67a 1 byte INT3
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007fefebf0561
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007fefebf052e
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 7 bytes JMP 000007fefebf0099
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007fefebf0462
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007fefebf05fa
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007fefebf042f
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007fefebf0495
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007fefebf04c8
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007fefebf04fb
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 7 bytes JMP 000007fefebf01fe
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 7 bytes JMP 000007fefebf01cb
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 7 bytes JMP 000007fefebf0132
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 7 bytes JMP 000007fefebf00ff
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 5 bytes JMP 000007fefebf06c6
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 6 bytes JMP 000007fefebf0660
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 5 bytes JMP 000007fefebf062d
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 5 bytes JMP 000007fefebf0693
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 9 bytes JMP 000007fefebf072c
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 9 bytes JMP 000007fefebf06f9
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe756d10 11 bytes JMP 000007fefebf075f
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe7624f8 5 bytes JMP 000007fefebf0792
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\ole32.dll!CoGetObject 000007fefe893900 5 bytes JMP 000007fefebf07c5
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\SSPICLI.DLL!GetUserNameExW 000007fefd591118 7 bytes JMP 000007fefebf08f7
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\SSPICLI.DLL!GetUserNameExA 000007fefd591640 7 bytes JMP 000007fefebf08c4
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\SSPICLI.DLL!LsaCallAuthenticationPackage 000007fefd5955b8 5 bytes JMP 000007fefebf092a
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\SSPICLI.DLL!EnumerateSecurityPackagesW 000007fefd597358 5 bytes JMP 000007fefebf0891
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\SSPICLI.DLL!EnumerateSecurityPackagesA 000007fefd5a57c0 5 bytes JMP 000007fefebf085e
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextW 000007fefccc3b98 7 bytes JMP 000007fefebf0b5b
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextA 000007fefccc3ca8 5 bytes JMP 000007fefebf0b28
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\CRYPTSP.dll!CryptExportKey 000007fefccc55ac 7 bytes JMP 000007fefebf0bc1
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\CRYPTSP.dll!CryptImportKey 000007fefccc56fc 7 bytes JMP 000007fefebf0c5a
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\CRYPTSP.dll!CryptCreateHash 000007fefccc5be4 7 bytes JMP 000007fefebf0b8e
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\CRYPTSP.dll!CryptHashData 000007fefccc5f80 7 bytes JMP 000007fefebf0c27
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\CRYPTSP.dll!CryptGetHashParam 000007fefccc698c 7 bytes JMP 000007fefebf0bf4
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\CRYPT32.dll!CertAddEncodedCertificateToStore 000007fefd828f08 7 bytes JMP 000007fefebf0cf3
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\CRYPT32.dll!CertAddCRLContextToStore 000007fefd84cd00 5 bytes JMP 000007fefebf0cc0
.text C:\Windows\system32\svchost.exe[3404] C:\Windows\system32\CRYPT32.dll!CertCreateSelfSignCertificate 000007fefd8764fc 5 bytes JMP 000007fefebf0d26
.text C:\Program Files\Bitdefender\Bitdefender Security\updatesrv.exe[3432] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 00000000778fbaa1 11 bytes [B8, F0, 12, 2D, 04, 00, 00, ...]
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077c7f938 5 bytes JMP 000000007ef809f6
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread 0000000077c7f9bc 5 bytes JMP 000000007ef80792
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c7f9f0 5 bytes JMP 000000007ef801dc
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077c7fae8 5 bytes JMP 000000007ef80990
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077c7fc30 5 bytes JMP 000000007ef80374
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077c7fc60 5 bytes JMP 000000007ef80462
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077c7fc90 5 bytes JMP 000000007ef8085e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fcc0 5 bytes JMP 000000007ef80000
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fe24 5 bytes JMP 000000007ef802ec
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077c7fe54 5 bytes JMP 000000007ef803b8
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtReadVirtualMemory 0000000077c7fea0 5 bytes JMP 000000007ef80682
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c7fed0 5 bytes JMP 000000007ef80044
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077c7ff34 5 bytes JMP 000000007ef803fc
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c7ffb4 5 bytes JMP 000000007ef80a18
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077c7fffc 5 bytes JMP 000000007ef80220
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c80014 5 bytes JMP 000000007ef802a8
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80078 5 bytes JMP 000000007ef80880
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c803c8 5 bytes JMP 000000007ef807b4
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c803e0 5 bytes JMP 000000007ef807d6
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c80560 5 bytes JMP 000000007ef807f8
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtCommitTransaction 0000000077c80628 5 bytes JMP 000000007ef80a5c
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c807ac 5 bytes JMP 000000007ef80aa0
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077c80824 5 bytes JMP 000000007ef801fe
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8089c 5 bytes JMP 000000007ef80ae4
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c808b4 5 bytes JMP 000000007ef802ca
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtCreateTransaction 0000000077c808fc 2 bytes JMP 000000007ef809b2
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtCreateTransaction + 3 0000000077c808ff 2 bytes [30, 07]
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077c8092c 5 bytes JMP 000000007ef80242
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80e04 5 bytes JMP 000000007ef80ac2
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077c81598 5 bytes JMP 000000007ef8083c
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077c81614 5 bytes JMP 000000007ef80132
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtRollbackTransaction 0000000077c81854 5 bytes JMP 000000007ef80a3a
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81930 5 bytes JMP 000000007ef8041e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationTransaction 0000000077c81ab0 5 bytes JMP 000000007ef80a7e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077c81bdc 5 bytes JMP 000000007ef8081a
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!NtWow64WriteVirtualMemory64 0000000077c8212c 5 bytes JMP 000000007ef8030e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!RtlImageNtHeaderEx 0000000077c8f535 7 bytes JMP 000000007ef80022
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077d0869b 5 bytes JMP 000000007ef80154
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 000000007ef805b6
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 000000007ef80594
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 0000000075b748f3 5 bytes JMP 000000007ef8061c
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000075b7499f 5 bytes JMP 000000007ef805fa
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!GetNativeSystemInfo 0000000075b810a5 5 bytes JMP 000000007ef808a2
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b83be3 5 bytes JMP 000000007ef80352
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075b89ae4 5 bytes JMP 000000007ef80550
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075b89b45 5 bytes JMP 000000007ef8050c
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalA 0000000075b8a4cf 5 bytes JMP 000000007ef80330
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!K32GetModuleBaseNameW 0000000075b8fce8 5 bytes JMP 000000007ef806c6
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!GetVolumeInformationA 0000000075b96de3 7 bytes JMP 000000007ef8094c
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075b9736f 7 bytes JMP 000000007ef80440
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!GetApplicationRecoveryCallback 0000000075b97e45 5 bytes JMP 000000007ef806a4
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000075b98922 5 bytes JMP 000000007ef801ba
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075b9b263 5 bytes JMP 000000007ef806e8
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModules 0000000075b9b38e 5 bytes JMP 000000007ef8072c
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000075b9ccf1 5 bytes JMP 000000007ef804ea
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075b9cd11 5 bytes JMP 000000007ef8052e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!DefineDosDeviceA 0000000075beade4 5 bytes JMP 000000007ef804a6
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!CreateFileTransactedW 0000000075bee3c5 7 bytes JMP 000000007ef809d4
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!CreateNamedPipeA 0000000075bf1ddf 5 bytes JMP 000000007ef80b06
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075bf31f9 5 bytes JMP 000000007ef80b4a
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!GetApplicationRestartSettings 0000000075bfe766 5 bytes JMP 000000007ef80770
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!PeekConsoleInputA 0000000075c1769d 5 bytes JMP 000000007ef800ee
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!PeekConsoleInputW 0000000075c176c0 5 bytes JMP 000000007ef80110
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000075c176e3 5 bytes JMP 000000007ef800aa
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000075c17706 5 bytes JMP 000000007ef800cc
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075c17ab1 5 bytes JMP 000000007ef80066
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075c17b2a 5 bytes JMP 000000007ef80088
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!GenerateConsoleCtrlEvent 0000000075c181df 5 bytes JMP 000000007ef80660
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!K32EnumDeviceDrivers 0000000075c189ea 7 bytes JMP 000000007ef8092a
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075c1906c 7 bytes JMP 000000007ef8074e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075c190f1 5 bytes JMP 000000007ef8070a
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!CreateNamedPipeW 0000000076327e9d 5 bytes JMP 000000007ef80b28
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007632c558 5 bytes JMP 000000007ef80484
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!GetLogicalProcessorInformation 000000007632f146 5 bytes JMP 000000007ef808e6
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!GetLogicalProcessorInformationEx 000000007632f1a0 5 bytes JMP 000000007ef80908
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!TerminateProcess 000000007632f341 5 bytes JMP 000000007ef8063e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!GetSystemInfo 000000007632f472 5 bytes JMP 000000007ef808c4
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007632fcda 5 bytes JMP 000000007ef804c8
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!SetEnvironmentVariableA 00000000763306bc 5 bytes JMP 000000007ef80176
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!SetEnvironmentVariableW 00000000763307ff 5 bytes JMP 000000007ef80198
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076331f38 5 bytes JMP 000000007ef805d8
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 000000007633396a 5 bytes JMP 000000007ef80396
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!QueueUserAPC 0000000076333e5b 5 bytes JMP 000000007ef803da
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000076333fdf 5 bytes JMP 000000007ef80286
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076334798 5 bytes JMP 000000007ef80264
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!GetVolumeInformationW 00000000763370b5 5 bytes JMP 000000007ef8096e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000076339dcf 5 bytes JMP 000000007ef80572
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!CreateFileW 000000007633c40d 5 bytes JMP 000000007ef80b8e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007633c8a8 5 bytes JMP 000000007ef80b6c
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!GetDC 0000000076af72cc 5 bytes JMP 000000007ef814fc
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076af78f2 5 bytes JMP 000000007ef815c8
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076af7be3 5 bytes JMP 000000007ef815a6
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SetPropW 0000000076af7fde 5 bytes JMP 000000007ef817a4
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!GetWindowDC 0000000076af8058 5 bytes JMP 000000007ef8160c
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076af8342 5 bytes JMP 000000007ef8180a
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076af8a39 5 bytes JMP 000000007ef813ca
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000076af8e5e 5 bytes JMP 000000007ef8182c
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076af90e3 7 bytes JMP 000000007ef818d6
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076af9689 5 bytes JMP 000000007ef816fa
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076af990d 5 bytes JMP 000000007ef81496
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!EnumWindows 0000000076afd1ef 5 bytes JMP 000000007ef8140e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076afd24e 5 bytes JMP 000000007ef813a8
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076afee31 5 bytes JMP 000000007ef817c6
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076b0000e 5 bytes JMP 000000007ef81430
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076b00101 5 bytes JMP 000000007ef81452
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076b005e2 5 bytes JMP 000000007ef81650
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!GetDesktopWindow 0000000076b00a41 9 bytes JMP 000000007ef81540
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076b00e23 5 bytes JMP 000000007ef81892
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b012cd 5 bytes JMP 000000007ef81694
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b027a7 5 bytes JMP 000000007ef81562
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076b0393d 5 bytes JMP 000000007ef818f8
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076b0399a 5 bytes JMP 000000007ef81474
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!GetDCEx 0000000076b03bf9 5 bytes JMP 000000007ef8151e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b0471b 5 bytes JMP 000000007ef814b8
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b047ed 5 bytes JMP 000000007ef81584
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b04bc4 5 bytes JMP 000000007ef81672
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!EnumDesktopWindows 0000000076b0702b 5 bytes JMP 000000007ef813ec
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076b0704c 5 bytes JMP 000000007ef8162e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b071e8 5 bytes JMP 000000007ef817e8
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b07206 5 bytes JMP 000000007ef816d8
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076b0735d 5 bytes JMP 000000007ef81386
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b07d61 7 bytes JMP 000000007ef818b4
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b081fd 5 bytes JMP 000000007ef81870
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b08262 5 bytes JMP 000000007ef8173e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SetPropA 0000000076b08e24 5 bytes JMP 000000007ef81782
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b08f54 5 bytes JMP 000000007ef8184e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076b38e97 5 bytes JMP 000000007ef81760
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b39feb 5 bytes JMP 000000007ef814da
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b56e35 5 bytes JMP 000000007ef8171c
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!GetRawInputData 0000000076b58447 5 bytes JMP 000000007ef815ea
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b589c3 5 bytes JMP 000000007ef816b6
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\GDI32.dll!CreateCompatibleDC 00000000765554f4 5 bytes JMP 000000007ef80ce2
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\GDI32.dll!CreateBitmap 0000000076555d52 5 bytes JMP 000000007ef80c9e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076555ea5 5 bytes JMP 000000007ef80c7c
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\GDI32.dll!CreateCompatibleBitmap 0000000076555f48 5 bytes JMP 000000007ef80cc0
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076557ba4 5 bytes JMP 000000007ef80d04
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007655ea03 5 bytes JMP 000000007ef80d26
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076438e69 5 bytes JMP 000000007ef811aa
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076439159 5 bytes JMP 000000007ef810de
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076439166 5 bytes JMP 000000007ef81188
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007643c4b2 5 bytes JMP 000000007ef81210
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserW 000000007643c512 5 bytes JMP 000000007ef80ff0
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007643c9cc 5 bytes JMP 000000007ef81342
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007643de94 5 bytes JMP 000000007ef81100
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007643deb6 5 bytes JMP 000000007ef811ee
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007643dece 5 bytes JMP 000000007ef81122
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007643defe 5 bytes JMP 000000007ef811cc
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076442b38 5 bytes JMP 000000007ef81320
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000764435e4 5 bytes JMP 000000007ef80f46
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000764570a4 5 bytes JMP 000000007ef81078
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000764570bc 5 bytes JMP 000000007ef80f68
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 000000007645771b 5 bytes JMP 000000007ef81166
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000764727ea 5 bytes JMP 000000007ef80fce
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!EncryptFileW 0000000076472aa8 5 bytes JMP 000000007ef81232
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!SetUserFileEncryptionKey 0000000076473213 5 bytes JMP 000000007ef81364
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!FlushEfsCache 000000007647324d 5 bytes JMP 000000007ef81254
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000764733a4 5 bytes JMP 000000007ef80f02
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000764733b4 5 bytes JMP 000000007ef80f24
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000764733c4 5 bytes JMP 000000007ef80f8a
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000764733d4 5 bytes JMP 000000007ef80fac
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076473414 5 bytes JMP 000000007ef81056
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CryptDeriveKey 0000000076473444 5 bytes JMP 000000007ef81144
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000764755e1 5 bytes JMP 000000007ef81012
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithTokenW 0000000076475617 5 bytes JMP 000000007ef81034
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CredEnumerateA 0000000076477671 7 bytes JMP 000000007ef8109a
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!CredEnumerateW 0000000076477771 7 bytes JMP 000000007ef810bc
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!LsaQueryTrustedDomainInfo 0000000076478c39 7 bytes JMP 000000007ef812dc
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000000007647923d 7 bytes JMP 000000007ef812fe
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!InitiateSystemShutdownW 000000007648defd 5 bytes JMP 000000007ef812ba
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!InitiateSystemShutdownExW 000000007648dfca 5 bytes JMP 000000007ef81298
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ADVAPI32.dll!InitiateShutdownW 000000007648e2a4 5 bytes JMP 000000007ef81276
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 0000000075d94dc9 7 bytes JMP 000000007ef80e14
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\sechost.dll!StartServiceW 0000000075d94f3b 7 bytes JMP 000000007ef80ee0
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\sechost.dll!StartServiceA 0000000075d95093 7 bytes JMP 000000007ef80ebe
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075d95682 7 bytes JMP 000000007ef80e36
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075d958a5 7 bytes JMP 000000007ef80e58
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 0000000075d97151 7 bytes JMP 000000007ef80e9c
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 0000000075d9724b 7 bytes JMP 000000007ef80e7a
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\RPCRT4.dll!RpcBindingSetObject 00000000766cb413 3 bytes JMP 000000007ef80df2
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\RPCRT4.dll!RpcBindingSetObject + 4 00000000766cb417 1 byte [08]
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\SspiCli.dll!LsaCallAuthenticationPackage 00000000755c2aab 5 bytes JMP 000000007ef80dd0
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\SspiCli.dll!GetUserNameExW 00000000755ca40f 5 bytes JMP 000000007ef80dae
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\SspiCli.dll!GetUserNameExA 00000000755ca4e1 5 bytes JMP 000000007ef80d8c
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\SspiCli.dll!EnumerateSecurityPackagesW 00000000755d0c71 5 bytes JMP 000000007ef80d6a
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\SspiCli.dll!EnumerateSecurityPackagesA 00000000755d0cec 5 bytes JMP 000000007ef80d48
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\SHELL32.dll!ShellExecuteW 0000000076bf3c29 5 bytes JMP 000000007ef819c4
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000076c00191 5 bytes JMP 000000007ef819e6
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\SHELL32.dll!ShellExecuteExW 0000000076c01e65 5 bytes JMP 000000007ef819a2
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\SHELL32.dll!ShellExecuteEx 0000000076e288fd 5 bytes JMP 000000007ef81980
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\SHELL32.dll!ShellExecuteA 0000000076e28998 5 bytes JMP 000000007ef8195e
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ole32.dll!CoGetClassObject 000000007599546d 5 bytes JMP 000000007ef81a2a
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000759a9cbb 5 bytes JMP 000000007ef81a08
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\ole32.dll!CoGetObject 00000000759bb624 5 bytes JMP 000000007ef81a4c
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\CRYPT32.dll!CertAddEncodedCertificateToStore 000000007582b451 5 bytes JMP 000000007ef81ab2
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\CRYPT32.dll!CertAddCRLContextToStore 0000000075842075 5 bytes JMP 000000007ef81a90
.text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3484] C:\Windows\syswow64\CRYPT32.dll!CertCreateSelfSignCertificate 0000000075868483 5 bytes JMP 000000007ef81ad4
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30c27
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30f57
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30fbd
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30bf4
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30c8d
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30dbf
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30cf3
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!K32EnumProcessModules 00000000778b4410 12 bytes JMP 0000000077c30a8f
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30df2
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c31089
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 0000000077c30ac2
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30ebe
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 0000000077c30a5c
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!K32GetModuleBaseNameW 00000000778d97a0 5 bytes JMP 0000000077c309f6
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778d9870 5 bytes JMP 0000000077c30a29
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!GetApplicationRestartSettings + 1 00000000778df641 4 bytes {JMP 0x3514b5}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!GetApplicationRecoveryCallback 00000000778df650 7 bytes JMP 0000000077c309c3
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c310ef
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\RPCRT4.dll!RpcBindingSetObject 000007fefe13e4b0 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007fefebf0363
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 9 bytes JMP 000007fefebf0330
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 8 bytes JMP 000007fefebf0231
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007fefebf03fc
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 7 bytes JMP 000007fefebf00cc
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeafe514 5 bytes JMP 000007fefebf05c7
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 8 bytes JMP 000007fefebf0264
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007fefebf03c9
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 9 bytes JMP 000007fefebf0297
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007fefebf0396
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefeb09d6c 5 bytes JMP 000007fefebf0594
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb0a830 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 7 bytes JMP 000007fefebf0198
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefeb14a50 5 bytes JMP 000007fefebf0000
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 11 bytes JMP 000007fefebf02fd
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 9 bytes JMP 000007fefebf02ca
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 7 bytes JMP 000007fefebf0165
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 000007fefeb2a5e9 4 bytes {JMP 0xc5a7e}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 000007fefeb2a5f5 4 bytes {JMP 0xc5a3f}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb2a600 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 14 000007fefeb2a60e 1 byte INT3
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb2a66c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 14 000007fefeb2a67a 1 byte INT3
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007fefebf0561
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007fefebf052e
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 7 bytes JMP 000007fefebf0099
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007fefebf0462
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007fefebf05fa
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007fefebf042f
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007fefebf0495
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007fefebf04c8
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007fefebf04fb
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 7 bytes JMP 000007fefebf01fe
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 7 bytes JMP 000007fefebf01cb
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 7 bytes JMP 000007fefebf0132
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 7 bytes JMP 000007fefebf00ff
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe756d10 11 bytes JMP 000007fefebf07c5
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe7624f8 5 bytes JMP 000007fefebf07f8
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\ole32.dll!CoGetObject 000007fefe893900 5 bytes JMP 000007fefebf082b
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 5 bytes JMP 000007fefebf072c
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 6 bytes JMP 000007fefebf06c6
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 5 bytes JMP 000007fefebf0693
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 5 bytes JMP 000007fefebf06f9
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 9 bytes JMP 000007fefebf0792
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 9 bytes JMP 000007fefebf075f
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\SSPICLI.DLL!GetUserNameExW 000007fefd591118 7 bytes JMP 000007fefebf0a8f
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\SSPICLI.DLL!GetUserNameExA 000007fefd591640 7 bytes JMP 000007fefebf0a5c
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\SSPICLI.DLL!LsaCallAuthenticationPackage 000007fefd5955b8 5 bytes JMP 000007fefebf0ac2
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\SSPICLI.DLL!EnumerateSecurityPackagesW 000007fefd597358 5 bytes JMP 000007fefebf0a29
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\SSPICLI.DLL!EnumerateSecurityPackagesA 000007fefd5a57c0 5 bytes JMP 000007fefebf09f6
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe9e13b0 5 bytes JMP 000007fefebf0d8c
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe9e18e0 5 bytes JMP 000007fefebf0e25
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\WS2_32.dll!WSASocketW 000007fefe9e1bd0 5 bytes JMP 000007fefebf0df2
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\WS2_32.dll!WSASocketA 000007fefe9e2010 11 bytes JMP 000007fefebf0dbf
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe9e23c0 5 bytes JMP 000007fefebf0cf3
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\WS2_32.dll!connect 000007fefe9e45c0 5 bytes JMP 000007fefebf0e58
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\WS2_32.dll!send 000007fefe9e8000 5 bytes JMP 000007fefebf0ebe
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe9e8df0 9 bytes JMP 000007fefebf0e8b
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe9ec090 5 bytes JMP 000007fefebf0cc0
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\WS2_32.dll!WSAIoctl 000007fefe9ed620 5 bytes JMP 000007fefebf0d59
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\WS2_32.dll!sendto 000007fefe9ed7f0 7 bytes JMP 000007fefebf0ef1
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\WS2_32.dll!socket 000007fefe9ede90 5 bytes JMP 000007fefebf0f24
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefea0e0f0 7 bytes JMP 000007fefebf0d26
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\IPHLPAPI.DLL!GetAdaptersAddresses 000007fefa2b2aa4 5 bytes JMP 000007fefebf0ff0
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\IPHLPAPI.DLL!GetAdaptersInfo 000007fefa2b792c 5 bytes JMP 000007fefebf1023
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\IPHLPAPI.DLL!ResolveIpNetEntry2 000007fefa2b8d44 7 bytes JMP 000007fefebf10bc
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\IPHLPAPI.DLL!GetIpNetTable 000007fefa2be51c 7 bytes JMP 000007fefebf1056
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\IPHLPAPI.DLL!SendARP 000007fefa2bf354 5 bytes JMP 000007fefebf10ef
.text C:\Windows\system32\svchost.exe[4168] C:\Windows\system32\IPHLPAPI.DLL!GetIpNetTable2 000007fefa2c8520 6 bytes JMP 000007fefebf1089
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30c27
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30f57
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30fbd
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30bf4
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30c8d
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30dbf
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30cf3
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!K32EnumProcessModules 00000000778b4410 12 bytes JMP 0000000077c30a8f
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30df2
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c31089
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 0000000077c30ac2
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30ebe
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 0000000077c30a5c
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!K32GetModuleBaseNameW 00000000778d97a0 5 bytes JMP 0000000077c309f6
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778d9870 5 bytes JMP 0000000077c30a29
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!GetApplicationRestartSettings + 1 00000000778df641 4 bytes {JMP 0x3514b5}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!GetApplicationRecoveryCallback 00000000778df650 7 bytes JMP 0000000077c309c3
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c310ef
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe756d10 11 bytes JMP 000007fefee207c5
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe7624f8 5 bytes JMP 000007fefee207f8
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ole32.dll!CoGetObject 000007fefe893900 5 bytes JMP 000007fefee2082b
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 5 bytes JMP 000007fefee206c6
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 6 bytes JMP 000007fefee20660
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 5 bytes JMP 000007fefee2062d
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 5 bytes JMP 000007fefee20693
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 9 bytes JMP 000007fefee2072c
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 9 bytes JMP 000007fefee206f9
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\RPCRT4.dll!RpcBindingSetObject 000007fefe13e4b0 5 bytes JMP 000007fefee20792
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007fefee20363
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 9 bytes JMP 000007fefee20330
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 8 bytes JMP 000007fefee20231
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007fefee203fc
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 7 bytes JMP 000007fefee200cc
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeafe514 5 bytes JMP 000007fefee205c7
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 8 bytes JMP 000007fefee20264
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007fefee203c9
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 9 bytes JMP 000007fefee20297
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007fefee20396
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefeb09d6c 5 bytes JMP 000007fefee20594
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb0a830 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 7 bytes JMP 000007fefee20198
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefeb14a50 5 bytes JMP 000007fefee20000
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 11 bytes JMP 000007fefee202fd
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 9 bytes JMP 000007fefee202ca
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 7 bytes JMP 000007fefee20165
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 000007fefeb2a5e9 4 bytes {JMP 0x2f5a7e}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 000007fefeb2a5f5 4 bytes {JMP 0x2f5a3f}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb2a600 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 14 000007fefeb2a60e 1 byte INT3
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb2a66c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 14 000007fefeb2a67a 1 byte INT3
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007fefee20561
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007fefee2052e
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 7 bytes JMP 000007fefee20099
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007fefee20462
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007fefee205fa
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007fefee2042f
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007fefee20495
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007fefee204c8
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007fefee204fb
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 7 bytes JMP 000007fefee201fe
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 7 bytes JMP 000007fefee201cb
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 7 bytes JMP 000007fefee20132
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 7 bytes JMP 000007fefee200ff
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\wininet.dll!InternetConnectW 000007fefde34a60 7 bytes JMP 000007fefee209c3
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\wininet.dll!InternetOpenW 000007fefde3bc70 5 bytes JMP 000007fefee20a8f
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\wininet.dll!InternetOpenA 000007fefde3be10 5 bytes JMP 000007fefee209f6
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\wininet.dll!InternetConnectA 000007fefdeeea30 5 bytes JMP 000007fefee20990
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\wininet.dll!InternetOpenUrlA 000007fefdeeee20 7 bytes JMP 000007fefee20a29
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\wininet.dll!InternetOpenUrlW 000007fefdeefb40 5 bytes JMP 000007fefee20a5c
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryW 000007fefdba1c00 10 bytes JMP 000007fefee2095d
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryW 000007fefdbae610 5 bytes JMP 000007fefee208f7
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryA 000007fefdbae9d0 7 bytes JMP 000007fefee208c4
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryA 000007fefdbafc50 7 bytes JMP 000007fefee2092a
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextW 000007fefccc3b98 1 byte JMP 000007fefee20b28
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextW + 2 000007fefccc3b9a 5 bytes {JMP 0x215cf90}
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextA 000007fefccc3ca8 5 bytes JMP 000007fefee20af5
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\CRYPTSP.dll!CryptExportKey 000007fefccc55ac 7 bytes JMP 000007fefee20b8e
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\CRYPTSP.dll!CryptImportKey 000007fefccc56fc 7 bytes JMP 000007fefee20c27
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\CRYPTSP.dll!CryptCreateHash 000007fefccc5be4 7 bytes JMP 000007fefee20b5b
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\CRYPTSP.dll!CryptHashData 000007fefccc5f80 7 bytes JMP 000007fefee20bf4
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\CRYPTSP.dll!CryptGetHashParam 000007fefccc698c 7 bytes JMP 000007fefee20bc1
.text C:\Windows\system32\taskhost.exe[4532] C:\Windows\system32\psapi.dll!EnumDeviceDrivers 0000000000631134 5 bytes JMP 0000000077c31d49
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30c27
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30f57
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30fbd
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30bf4
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30c8d
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30dbf
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007786a3e0 7 bytes JMP 000000006fff0228
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30cf3
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077873ef0 5 bytes JMP 000000006fff0180
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007788fff0 5 bytes JMP 000000006fff01b8
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007789f3e0 5 bytes JMP 000000006fff0110
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!K32EnumProcessModules 00000000778b4410 12 bytes JMP 0000000077c30a8f
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30df2
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c31089
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 000000006fff00d8
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30ebe
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 000000006fff0148
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!K32GetModuleBaseNameW 00000000778d97a0 5 bytes JMP 0000000077c309f6
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778d9870 5 bytes JMP 0000000077c30a29
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!GetApplicationRestartSettings + 1 00000000778df641 4 bytes {JMP 0x3514b5}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!GetApplicationRecoveryCallback 00000000778df650 7 bytes JMP 0000000077c309c3
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000778f8aa0 7 bytes JMP 000000006fff01f0
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c310ef
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefda432f0 7 bytes JMP 000007fefda300d8
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefda4aa60 5 bytes JMP 000007fefda30180
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefda4ac00 5 bytes JMP 000007fefda30110
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda59ac0 5 bytes JMP 000007fefda30148
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 11 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\GDI32.dll!CreateBitmap + 12 000007fefedb1f3c 2 bytes [00, 00]
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefedb8980 8 bytes JMP 000007fefda301f0
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefedbbdf0 8 bytes JMP 000007fefda301b8
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe756d10 11 bytes JMP 000007fefee20693
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe7624f8 5 bytes JMP 000007fefee206c6
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe76b4f0 7 bytes JMP 000007fefda30260
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ole32.dll!CoGetObject 000007fefe893900 5 bytes JMP 000007fefee206f9
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\RPCRT4.dll!RpcBindingSetObject 000007fefe13e4b0 5 bytes JMP 000007fefee20660
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007fefee20363
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 9 bytes JMP 000007fefee20330
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 8 bytes JMP 000007fefee20231
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007fefee203fc
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 7 bytes JMP 000007fefee200cc
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefeafe514 5 bytes JMP 000007fefee205c7
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 8 bytes JMP 000007fefee20264
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007fefee203c9
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 9 bytes JMP 000007fefee20297
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007fefee20396
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefeb09d6c 5 bytes JMP 000007fefee20594
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefeb0a830 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 7 bytes JMP 000007fefee20198
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefeb14a50 5 bytes JMP 000007fefee20000
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 11 bytes JMP 000007fefee202fd
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 9 bytes JMP 000007fefee202ca
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 7 bytes JMP 000007fefee20165
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 000007fefeb2a5e9 4 bytes {JMP 0x2f5a7e}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 000007fefeb2a5f5 4 bytes {JMP 0x2f5a3f}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefeb2a600 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW + 14 000007fefeb2a60e 1 byte INT3
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefeb2a66c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA + 14 000007fefeb2a67a 1 byte INT3
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007fefee20561
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007fefee2052e
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 7 bytes JMP 000007fefee20099
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007fefee20462
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007fefee205fa
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007fefee2042f
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007fefee20495
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007fefee204c8
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007fefee204fb
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 7 bytes JMP 000007fefee201fe
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 7 bytes JMP 000007fefee201cb
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 7 bytes JMP 000007fefee20132
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 7 bytes JMP 000007fefee200ff
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextW 000007fefccc3b98 7 bytes JMP 000007fefee20792
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextA 000007fefccc3ca8 5 bytes JMP 000007fefee2075f
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\CRYPTSP.dll!CryptExportKey 000007fefccc55ac 7 bytes JMP 000007fefee207f8
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\CRYPTSP.dll!CryptImportKey 000007fefccc56fc 7 bytes JMP 000007fefee20891
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\CRYPTSP.dll!CryptCreateHash 000007fefccc5be4 7 bytes JMP 000007fefee207c5
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\CRYPTSP.dll!CryptHashData 000007fefccc5f80 7 bytes JMP 000007fefee2085e
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\CRYPTSP.dll!CryptGetHashParam 000007fefccc698c 7 bytes JMP 000007fefee2082b
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\SspiCli.dll!GetUserNameExW 000007fefd591118 7 bytes JMP 000007fefee20990
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\SspiCli.dll!GetUserNameExA 000007fefd591640 7 bytes JMP 000007fefee2095d
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\SspiCli.dll!LsaCallAuthenticationPackage 000007fefd5955b8 5 bytes JMP 000007fefee209c3
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\SspiCli.dll!EnumerateSecurityPackagesW 000007fefd597358 5 bytes JMP 000007fefee2092a
.text C:\Windows\system32\taskeng.exe[4564] C:\Windows\system32\SspiCli.dll!EnumerateSecurityPackagesA 000007fefd5a57c0 5 bytes JMP 000007fefee208f7
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30d59
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 1 byte JMP 0000000077c30990
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 2 0000000077acbc02 6 bytes {JMP 0x164d90}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30cc0
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30ac2
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30d8c
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30b28
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c309c3
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c309f6
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30a29
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30df2
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30e58
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c30ebe
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30cf3
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c30e8b
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c30a8f
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c301cb
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30dbf
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c305fa
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30e25
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c30a5c
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c30af5
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException 0000000077b3e210 5 bytes JMP 0000000077c301fe
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c30297
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c3062d
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c3075f
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30c27
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007786a3e0 7 bytes JMP 000000006fff0228
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c30b5b
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!PeekConsoleInputW 000000007786c400 9 bytes JMP 0000000077c30198
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077873ef0 5 bytes JMP 000000006fff0180
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c308f7
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c308c4
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c304c8
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c3085e
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007788fff0 5 bytes JMP 000000006fff01b8
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007789f3e0 5 bytes JMP 000000006fff0110
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c3095d
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!ReadConsoleInputW 00000000778b5460 6 bytes JMP 0000000077c30132
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!ReadConsoleInputA 00000000778b5480 6 bytes JMP 0000000077c300ff
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!PeekConsoleInputA 00000000778b54a0 9 bytes JMP 0000000077c30165
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30c5a
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c30ef1
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c306c6
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778c9c70 7 bytes JMP 000000006fff00d8
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!ReadConsoleW 00000000778ca820 5 bytes JMP 0000000077c300cc
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!ReadConsoleA 00000000778ca930 5 bytes JMP 0000000077c30099
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30d26
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778d9700 5 bytes JMP 000000006fff0148
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c307c5
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c30792
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c3072c
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000778f8aa0 7 bytes JMP 000000006fff01f0
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c30495
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c3082b
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c30f57
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefda432f0 7 bytes JMP 000007fefda300d8
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefda4aa60 5 bytes JMP 000007fefda30180
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefda4ac00 5 bytes JMP 000007fefda30110
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [F8, 07, C3, 77, 00, 00, 00, ...]
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda59ac0 5 bytes JMP 000007fefda30148
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 11 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\GDI32.dll!CreateBitmap + 12 000007fefedb1f3c 2 bytes [00, 00]
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefedb8980 8 bytes JMP 000007fefda301f0
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefedbbdf0 8 bytes JMP 000007fefda301b8
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007feff000000
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007feff000099
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW + 14 000007fefeafe48a 1 byte INT3
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007feff000066
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007feff000033
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CreateServiceW + 14 000007fefeb149be 1 byte INT3
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 11 000007fefeb2a413 4 bytes [00, 00, 00, CC]
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CreateServiceA + 14 000007fefeb2a49e 1 byte INT3
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007feff0001fe
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007feff0001cb
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 11 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 12 000007fefeb3a8dc 8 bytes [00, 00, CC, CC, CC, CC, CC, ...]
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007feff0000ff
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007feff000231
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007feff0000cc
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007feff000132
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007feff000165
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007feff000198
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW + 14 000007fefeb60f1e 1 byte INT3
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW + 14 000007fefeb60f8e 1 byte INT3
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\d3d10_1.dll!D3D10CreateDevice1 000007feeee984b8 12 bytes JMP 000007feff0003c9
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\d3d10_1.dll!D3D10CreateDeviceAndSwapChain1 000007feeee988c8 5 bytes JMP 000007feff0003fc
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007feeededc88 5 bytes JMP 000007feff0002fd
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007feeedede10 5 bytes JMP 000007feff000330
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\d3d11.dll!D3D11CreateDevice 000007feeec10090 7 bytes JMP 000007feff000363
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\d3d11.dll!D3D11CreateDeviceAndSwapChain 000007feeec100f8 5 bytes JMP 000007feff000396
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\CRYPT32.dll!CertAddEncodedCertificateToStore 000007fefd828f08 7 bytes JMP 000007feff000495
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\CRYPT32.dll!CertAddCRLContextToStore 000007fefd84cd00 5 bytes JMP 000007feff000462
.text C:\Windows\system32\Dwm.exe[4736] C:\Windows\system32\CRYPT32.dll!CertCreateSelfSignCertificate 000007fefd8764fc 5 bytes JMP 000007feff0004c8
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30bc1
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c307f8
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c30132
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30b28
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c30363
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c304c8
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c3092a
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c302ca
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c303c9
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c3042f
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30bf4
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30198
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c30264
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30990
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c3082b
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c3085e
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30891
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30c5a
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30cf3
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c30165
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c30d59
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c30297
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30b5b
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c301cb
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c30d26
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077acce10 8 bytes JMP 0000000077c308f7
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077acce60 8 bytes JMP 0000000077c30cc0
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtRollbackTransaction 0000000077accfd0 8 bytes JMP 0000000077c30c27
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077acd060 8 bytes JMP 0000000077c30462
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationTransaction 0000000077acd150 8 bytes JMP 0000000077c30c8d
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077acd210 8 bytes JMP 0000000077c308c4
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx 0000000077ad1fd0 5 bytes JMP 0000000077c30033
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext 0000000077b26b30 5 bytes JMP 0000000077c3095d
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!RtlWow64SetThreadContext + 6 0000000077b26b36 3 bytes [CC, CC, CC]
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!Process32NextW 0000000077861b20 7 bytes JMP 0000000077c300ff
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000077861c10 7 bytes JMP 0000000077c30495
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000077862b60 13 bytes JMP 0000000077c305c7
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!K32EnumDeviceDrivers 0000000077869a60 5 bytes JMP 0000000077c30a8f
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!GetNativeSystemInfo 000000007786ac80 6 bytes JMP 0000000077c309c3
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077876410 5 bytes JMP 0000000077c3075f
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077876500 5 bytes JMP 0000000077c3072c
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007787dbf0 5 bytes JMP 0000000077c30330
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778805e0 12 bytes JMP 0000000077c306c6
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent 00000000778a0e70 4 bytes JMP 0000000077c307c5
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!GenerateConsoleCtrlEvent + 5 00000000778a0e75 2 bytes [CC, CC]
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!GetVolumeInformationA 00000000778c1df0 7 bytes JMP 0000000077c30ac2
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!CreateNamedPipeA 00000000778c2dd0 5 bytes JMP 0000000077c30d8c
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!DefineDosDeviceA 00000000778c5ae0 5 bytes JMP 0000000077c3052e
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!CreateFileTransactedW 00000000778d5a60 7 bytes JMP 0000000077c30b8e
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000778ef6d0 8 bytes JMP 0000000077c3062d
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 00000000778ef8d0 8 bytes JMP 0000000077c305fa
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!MoveFileExA 00000000778ef900 10 bytes JMP 0000000077c30594
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000778fa2e0 7 bytes JMP 0000000077c302fd
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000778fafb0 7 bytes JMP 0000000077c30693
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\kernel32.dll!WinExec 00000000778fb4f0 7 bytes JMP 0000000077c30df2
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!CloseHandle 000007fefda41860 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 13 000007fefda4186d 6 bytes [00, CC, CC, CC, CC, CC]
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 000007fefda43370 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!QueueUserAPC 000007fefda43d90 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!CreateFileW 000007fefda45fe0 20 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 1 000007fefda4acb1 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableW + 1 000007fefda4ee41 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!OpenThread 000007fefda4ef50 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!OpenThread + 14 000007fefda4ef5e 1 byte INT3
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!DeleteFileW 000007fefda53290 4 bytes [FF, 25, 00, 00]
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 6 000007fefda53296 11 bytes [60, 06, C3, 77, 00, 00, 00, ...]
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!GetVolumeInformationW 000007fefda53640 18 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformationEx 000007fefda55770 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW 000007fefda57310 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!CreateNamedPipeW + 12 000007fefda5731c 3 bytes [00, 00, CC]
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!GetSystemInfo + 1 000007fefda5a661 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!SetEnvironmentVariableA + 1 000007fefda73231 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!TerminateProcess 000007fefda73550 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!GetLogicalProcessorInformation 000007fefda73670 16 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!CreateFileA 000007fefda7afe0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefda7ff00 19 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 000007fefda822c0 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 12 000007fefda822cc 5 bytes [00, 00, CC, CC, CC]
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CryptGenKey 000007fefeaf1980 5 bytes JMP 000007feffd90000
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CryptExportKey 000007fefeafac20 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA 000007fefeafac7c 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CryptImportKey 000007fefeafe414 9 bytes JMP 000007feffd90099
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 000007fefeafe47c 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW + 14 000007fefeafe48a 1 byte INT3
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW 000007fefeb001bc 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CryptHashData 000007fefeb0025c 5 bytes JMP 000007feffd90066
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash 000007fefeb00290 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam 000007fefeb002bc 8 bytes JMP 000007feffd90033
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefeb149b0 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CreateServiceW + 14 000007fefeb149be 1 byte INT3
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt 000007fefeb2a408 10 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 11 000007fefeb2a413 4 bytes [00, 00, 00, CC]
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CryptDeriveKey 000007fefeb2a454 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefeb2a490 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CreateServiceA + 14 000007fefeb2a49e 1 byte INT3
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfoByName 000007fefeb39490 7 bytes JMP 000007feffd901fe
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!LsaQueryTrustedDomainInfo 000007fefeb39640 5 bytes JMP 000007feffd901cb
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefeb3a8d0 11 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 12 000007fefeb3a8dc 8 bytes [00, 00, CC, CC, CC, CC, CC, ...]
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!FlushEfsCache 000007fefeb51380 6 bytes JMP 000007feffd900ff
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!SetUserFileEncryptionKey 000007fefeb51650 6 bytes JMP 000007feffd90231
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!EncryptFileW 000007fefeb51c00 6 bytes JMP 000007feffd900cc
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!InitiateShutdownW 000007fefeb53690 7 bytes JMP 000007feffd90132
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownExW 000007fefeb53800 7 bytes JMP 000007feffd90165
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!InitiateSystemShutdownW 000007fefeb53920 7 bytes JMP 000007feffd90198
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CredEnumerateW 000007fefeb5def0 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CredEnumerateA 000007fefeb5e020 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW 000007fefeb60f10 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithTokenW + 14 000007fefeb60f1e 1 byte INT3
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefeb60f80 12 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW + 14 000007fefeb60f8e 1 byte INT3
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefebd6488 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle 000007fefebd651c 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\sechost.dll!StartServiceW 000007fefebd6828 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefebd6c38 14 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\sechost.dll!StartServiceA 000007fefebd6d04 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefebd75ec 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefebd7910 15 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\RPCRT4.dll!RpcBindingSetObject 000007fefe13e4b0 17 bytes {JMP QWORD [RIP+0x0]}
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\GDI32.dll!CreateCompatibleDC 000007fefedb1c64 5 bytes JMP 000007feffd902fd
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\GDI32.dll!CreateBitmap 000007fefedb1f30 6 bytes JMP 000007feffd90297
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\GDI32.dll!BitBlt 000007fefedb24c0 5 bytes JMP 000007feffd90264
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\GDI32.dll!CreateCompatibleBitmap 000007fefedb2d20 5 bytes JMP 000007feffd902ca
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefedb8328 9 bytes JMP 000007feffd90363
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefedb8960 9 bytes JMP 000007feffd90330
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\SHELL32.dll!ShellExecuteW 000007feff019844 11 bytes JMP 000007feffd9042f
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\SHELL32.dll!ShellExecuteExW 000007feff024f6c 5 bytes JMP 000007feffd903fc
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\SHELL32.dll!ShellExecuteEx 000007feff260430 5 bytes JMP 000007feffd903c9
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\SHELL32.dll!ShellExecuteA 000007feff260530 11 bytes JMP 000007feffd90396
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe756d10 11 bytes JMP 000007feffd90462
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ole32.dll!CoGetClassObject 000007fefe7624f8 5 bytes JMP 000007feffd90495
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\ole32.dll!CoGetObject 000007fefe893900 5 bytes JMP 000007feffd904c8
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\SSPICLI.DLL!GetUserNameExW 000007fefd591118 7 bytes JMP 000007feffd90594
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\SSPICLI.DLL!GetUserNameExA 000007fefd591640 7 bytes JMP 000007feffd90561
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\SSPICLI.DLL!LsaCallAuthenticationPackage 000007fefd5955b8 5 bytes JMP 000007feffd905c7
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\SSPICLI.DLL!EnumerateSecurityPackagesW 000007fefd597358 5 bytes JMP 000007feffd9052e
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\SSPICLI.DLL!EnumerateSecurityPackagesA 000007fefd5a57c0 5 bytes JMP 000007feffd904fb
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\srvcli.dll!NetShareEnum 000007fefd4b1ad4 7 bytes JMP 000007feffd917b5
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\srvcli.dll!NetSessionEnum 000007fefd4b38f8 7 bytes JMP 000007feffd91782
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextW 000007fefccc3b98 7 bytes JMP 000007feffd90660
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\CRYPTSP.dll!CryptAcquireContextA 000007fefccc3ca8 5 bytes JMP 000007feffd9062d
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\CRYPTSP.dll!CryptExportKey 000007fefccc55ac 7 bytes JMP 000007feffd906c6
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\CRYPTSP.dll!CryptImportKey 000007fefccc56fc 7 bytes JMP 000007feffd9075f
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\CRYPTSP.dll!CryptCreateHash 000007fefccc5be4 7 bytes JMP 000007feffd90693
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\CRYPTSP.dll!CryptHashData 000007fefccc5f80 7 bytes JMP 000007feffd9072c
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\CRYPTSP.dll!CryptGetHashParam 000007fefccc698c 7 bytes JMP 000007feffd906f9
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryW 000007fefdba1c00 10 bytes JMP 000007feffd9085e
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryW 000007fefdbae610 5 bytes JMP 000007feffd907f8
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\USERENV.dll!GetProfilesDirectoryA 000007fefdbae9d0 7 bytes JMP 000007feffd907c5
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\USERENV.dll!GetUserProfileDirectoryA 000007fefdbafc50 7 bytes JMP 000007feffd9082b
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\SAMLIB.dll!SamSetInformationUser 000007fef5825a34 6 bytes JMP 000007feffd908c4
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\SAMLIB.dll!SamiChangePasswordUser 000007fef582639c 6 bytes JMP 000007feffd908f7
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\samcli.dll!NetUserGetInfo 000007fefbf11354 7 bytes JMP 000007feffd9181b
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\samcli.dll!NetLocalGroupGetMembers 000007fefbf12210 7 bytes JMP 000007feffd9171c
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\samcli.dll!NetUserEnum 000007fefbf163a0 7 bytes JMP 000007feffd917e8
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\samcli.dll!NetGroupGetUsers 000007fefbf1951c 7 bytes JMP 000007feffd916b6
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\samcli.dll!NetLocalGroupEnum 000007fefbf1a860 7 bytes JMP 000007feffd916e9
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\CRYPT32.dll!CertAddEncodedCertificateToStore 000007fefd828f08 7 bytes JMP 000007feffd90990
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\CRYPT32.dll!CertAddCRLContextToStore 000007fefd84cd00 5 bytes JMP 000007feffd9095d
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\CRYPT32.dll!CertCreateSelfSignCertificate 000007fefd8764fc 5 bytes JMP 000007feffd909c3
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WININET.dll!InternetConnectW 000007fefde34a60 7 bytes JMP 000007feffd90a8f
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WININET.dll!InternetOpenW 000007fefde3bc70 5 bytes JMP 000007feffd90b5b
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WININET.dll!InternetOpenA 000007fefde3be10 5 bytes JMP 000007feffd90ac2
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WININET.dll!InternetConnectA 000007fefdeeea30 5 bytes JMP 000007feffd90a5c
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefdeeee20 7 bytes JMP 000007feffd90af5
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefdeefb40 5 bytes JMP 000007feffd90b28
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WINSPOOL.DRV!AddMonitorA 000007fef1b579d4 7 bytes JMP 000007feffd90bc1
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WINSPOOL.DRV!DeleteMonitorA 000007fef1b57a98 5 bytes JMP 000007feffd90c27
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WINSPOOL.DRV!AddMonitorW 000007fef1b6582c 5 bytes JMP 000007feffd90bf4
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WINSPOOL.DRV!DeleteMonitorW 000007fef1b65904 5 bytes JMP 000007feffd90c5a
.text C:\Windows\Explorer.EXE[4844] C:\Windows\System32\IPHLPAPI.DLL!GetAdaptersAddresses 000007fefa2b2aa4 5 bytes JMP 000007feffd90cc0
.text C:\Windows\Explorer.EXE[4844] C:\Windows\System32\IPHLPAPI.DLL!GetAdaptersInfo 000007fefa2b792c 5 bytes JMP 000007feffd90cf3
.text C:\Windows\Explorer.EXE[4844] C:\Windows\System32\IPHLPAPI.DLL!ResolveIpNetEntry2 000007fefa2b8d44 7 bytes JMP 000007feffd90d8c
.text C:\Windows\Explorer.EXE[4844] C:\Windows\System32\IPHLPAPI.DLL!GetIpNetTable 000007fefa2be51c 7 bytes JMP 000007feffd90d26
.text C:\Windows\Explorer.EXE[4844] C:\Windows\System32\IPHLPAPI.DLL!SendARP 000007fefa2bf354 5 bytes JMP 000007feffd90dbf
.text C:\Windows\Explorer.EXE[4844] C:\Windows\System32\IPHLPAPI.DLL!GetIpNetTable2 000007fefa2c8520 6 bytes JMP 000007feffd90d59
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe9e13b0 5 bytes JMP 000007feffd91056
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe9e18e0 5 bytes JMP 000007feffd910ef
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WS2_32.dll!WSASocketW 000007fefe9e1bd0 5 bytes JMP 000007feffd910bc
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WS2_32.dll!WSASocketA 000007fefe9e2010 11 bytes JMP 000007feffd91089
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefe9e23c0 5 bytes JMP 000007feffd90ff0
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WS2_32.dll!connect 000007fefe9e45c0 5 bytes JMP 000007feffd91122
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WS2_32.dll!send 000007fefe9e8000 5 bytes JMP 000007feffd91188
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefe9e8df0 9 bytes JMP 000007feffd91155
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007fefe9ec090 5 bytes JMP 000007feffd90fbd
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WS2_32.dll!sendto 000007fefe9ed7f0 7 bytes JMP 000007feffd911bb
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WS2_32.dll!socket 000007fefe9ede90 5 bytes JMP 000007feffd911ee
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefea0e0f0 7 bytes JMP 000007feffd91023
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\wkscli.dll!NetWkstaUserEnum 000007fefbf32efc 5 bytes JMP 000007feffd91881
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\MPR.dll!WNetEnumResourceW 000007fefacb41a0 7 bytes JMP 000007feffd91287
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\MPR.dll!WNetEnumResourceA 000007fefacbbcfc 5 bytes JMP 000007feffd91254
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\PSAPI.DLL!EnumDeviceDrivers 0000000003221134 5 bytes JMP 0000000077c31e48
.text C:\Windows\Explorer.EXE[4844] C:\Windows\System32\NETAPI32.dll!NetWkstaGetInfo 000007fefbf61430 5 bytes JMP 000007feffd91a4c
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\LOGONCLI.DLL!DsGetDcNameW 000007fefcab14c0 9 bytes JMP 000007feffd91980
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\LOGONCLI.DLL!DsEnumerateDomainTrustsW 000007fefcab7a7c 7 bytes JMP 000007feffd9191a
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\LOGONCLI.DLL!NetGetDCName 000007fefcab7b24 7 bytes JMP 000007feffd919e6
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\LOGONCLI.DLL!DsGetDcNameA 000007fefcabc860 9 bytes JMP 000007feffd9194d
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\LOGONCLI.DLL!NetGetAnyDCName 000007fefcabcd5c 8 bytes JMP 000007feffd919b3
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\LOGONCLI.DLL!DsEnumerateDomainTrustsA 000007fefcabeb90 7 bytes JMP 000007feffd918e7
.text C:\Windows\Explorer.EXE[4844] C:\Windows\system32\BROWCLI.DLL!NetServerEnum 000007fef1c62cd0 7 bytes JMP 000007feffd91a19
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077c7f938 5 bytes JMP 000000007ef809f6
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread 0000000077c7f9bc 5 bytes JMP 000000007ef80792
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c7f9f0 5 bytes JMP 000000007ef801dc
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077c7fae8 5 bytes JMP 000000007ef80990
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 0000000077c7fc30 5 bytes JMP 000000007ef80374
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077c7fc60 5 bytes JMP 000000007ef80462
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077c7fc90 5 bytes JMP 000000007ef8085e
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fcc0 5 bytes JMP 000000007ef80000
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fe24 5 bytes JMP 000000007ef802ec
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077c7fe54 5 bytes JMP 000000007ef803b8
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtReadVirtualMemory 0000000077c7fea0 5 bytes JMP 000000007ef80682
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c7fed0 5 bytes JMP 000000007ef80044
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077c7ff34 5 bytes JMP 000000007ef803fc
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c7ffb4 5 bytes JMP 000000007ef80a18
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 0000000077c7fffc 5 bytes JMP 000000007ef80220
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c80014 5 bytes JMP 000000007ef802a8
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80078 5 bytes JMP 000000007ef80880
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c803c8 5 bytes JMP 000000007ef807b4
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort 0000000077c803e0 5 bytes JMP 000000007ef807d6
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c80560 5 bytes JMP 000000007ef807f8
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCommitTransaction 0000000077c80628 5 bytes JMP 000000007ef80a5c
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c807ac 5 bytes JMP 000000007ef80aa0
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077c80824 5 bytes JMP 000000007ef801fe
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8089c 5 bytes JMP 000000007ef80ae4
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c808b4 5 bytes JMP 000000007ef802ca
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateTransaction 0000000077c808fc 2 bytes JMP 000000007ef809b2
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateTransaction + 3 0000000077c808ff 2 bytes [30, 07]
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077c8092c 5 bytes JMP 000000007ef80242
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80e04 5 bytes JMP 000000007ef80ac2
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtQuerySystemEnvironmentValueEx 0000000077c81598 5 bytes JMP 000000007ef8083c
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 0000000077c81614 5 bytes JMP 000000007ef80132
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtRollbackTransaction 0000000077c81854 5 bytes JMP 000000007ef80a3a
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81930 5 bytes JMP 000000007ef8041e
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationTransaction 0000000077c81ab0 5 bytes JMP 000000007ef80a7e
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemEnvironmentValueEx 0000000077c81bdc 5 bytes JMP 000000007ef8081a
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtWow64WriteVirtualMemory64 0000000077c8212c 5 bytes JMP 000000007ef8030e
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!RtlImageNtHeaderEx 0000000077c8f535 7 bytes JMP 000000007ef80022
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 0000000077d0869b 5 bytes JMP 000000007ef80154
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075b7103d 5 bytes JMP 000000007ef805b6
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075b71072 5 bytes JMP 000000007ef80594
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075b71f0e 7 bytes JMP 00000000712653f0
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 0000000075b748f3 5 bytes JMP 000000007ef8061c
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000075b7499f 5 bytes JMP 000000007ef805fa
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075b75bad 7 bytes JMP 0000000071265a30
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!GetNativeSystemInfo 0000000075b810a5 5 bytes JMP 000000007ef808a2
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075b81431 7 bytes JMP 0000000071265640
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b83be3 5 bytes JMP 000000007ef80352
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000075b89ae4 5 bytes JMP 000000007ef80550
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000075b89b45 5 bytes JMP 000000007ef8050c
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalA 0000000075b8a4cf 5 bytes JMP 000000007ef80330
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075b8ea85 7 bytes JMP 00000000712653e0
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!K32GetModuleBaseNameW 0000000075b8fce8 5 bytes JMP 000000007ef806c6
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!GetVolumeInformationA 0000000075b96de3 7 bytes JMP 000000007ef8094c
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000075b9736f 7 bytes JMP 000000007ef80440
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!GetApplicationRecoveryCallback 0000000075b97e45 5 bytes JMP 000000007ef806a4
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000075b98922 5 bytes JMP 000000007ef801ba
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000075b9b263 5 bytes JMP 000000007ef806e8
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModules 0000000075b9b38e 5 bytes JMP 000000007ef8072c
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!MoveFileExA 0000000075b9ccf1 5 bytes JMP 000000007ef804ea
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 0000000075b9cd11 5 bytes JMP 000000007ef8052e
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!DefineDosDeviceA 0000000075beade4 5 bytes JMP 000000007ef804a6
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!CreateFileTransactedW 0000000075bee3c5 7 bytes JMP 000000007ef809d4
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!CreateNamedPipeA 0000000075bf1ddf 5 bytes JMP 000000007ef80b06
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075bf31f9 5 bytes JMP 000000007ef80b4a
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!GetApplicationRestartSettings 0000000075bfe766 5 bytes JMP 000000007ef80770
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!PeekConsoleInputA 0000000075c1769d 5 bytes JMP 000000007ef800ee
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!PeekConsoleInputW 0000000075c176c0 5 bytes JMP 000000007ef80110
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 0000000075c176e3 5 bytes JMP 000000007ef800aa
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000075c17706 5 bytes JMP 000000007ef800cc
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075c17ab1 5 bytes JMP 000000007ef80066
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075c17b2a 5 bytes JMP 000000007ef80088
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!GenerateConsoleCtrlEvent 0000000075c181df 5 bytes JMP 000000007ef80660
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!K32EnumDeviceDrivers 0000000075c189ea 7 bytes JMP 000000007ef8092a
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075c1906c 7 bytes JMP 0000000071264850
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075c190f1 5 bytes JMP 0000000071264a30
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075c19447 5 bytes JMP 0000000071264860
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!CreateNamedPipeW 0000000076327e9d 5 bytes JMP 000000007ef80b28
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 000000007632c558 5 bytes JMP 000000007ef80484
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!GetLogicalProcessorInformation 000000007632f146 5 bytes JMP 000000007ef808e6
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!GetLogicalProcessorInformationEx 000000007632f1a0 5 bytes JMP 000000007ef80908
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!TerminateProcess 000000007632f341 5 bytes JMP 000000007ef8063e
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!GetSystemInfo 000000007632f472 5 bytes JMP 000000007ef808c4
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007632fcda 5 bytes JMP 000000007ef804c8
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!SetEnvironmentVariableA 00000000763306bc 5 bytes JMP 000000007ef80176
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!SetEnvironmentVariableW 00000000763307ff 5 bytes JMP 000000007ef80198
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076331e4c 5 bytes JMP 0000000071264770
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076331efa 5 bytes JMP 0000000071264680
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076331f38 5 bytes JMP 000000007ef805d8
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076332bdc 5 bytes JMP 0000000071264a40
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076332e7e 5 bytes JMP 0000000071264370
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 000000007633396a 5 bytes JMP 000000007ef80396
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!QueueUserAPC 0000000076333e5b 5 bytes JMP 000000007ef803da
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000076333fdf 5 bytes JMP 000000007ef80286
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076334798 5 bytes JMP 000000007ef80264
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!GetVolumeInformationW 00000000763370b5 5 bytes JMP 000000007ef8096e
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000076339dcf 5 bytes JMP 000000007ef80572
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!CreateFileW 000000007633c40d 5 bytes JMP 000000007ef80b8e
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 000000007633c8a8 5 bytes JMP 000000007ef80b6c
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!GetDC 0000000076af72cc 5 bytes JMP 000000007ef81540
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000076af78f2 5 bytes JMP 000000007ef8160c
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000076af7be3 5 bytes JMP 000000007ef815ea
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SetPropW 0000000076af7fde 5 bytes JMP 000000007ef817e8
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!GetWindowDC 0000000076af8058 5 bytes JMP 000000007ef81650
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076af8342 5 bytes JMP 000000007ef8184e
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076af8a39 5 bytes JMP 0000000071263840
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000076af8e5e 5 bytes JMP 000000007ef81870
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000076af90e3 7 bytes JMP 000000007ef8191a
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076af9689 5 bytes JMP 000000007ef8173e
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000076af990d 5 bytes JMP 000000007ef814da
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!EnumWindows 0000000076afd1ef 5 bytes JMP 000000007ef81452
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000076afd24e 5 bytes JMP 000000007ef813ec
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076afee31 5 bytes JMP 000000007ef8180a
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000076b0000e 5 bytes JMP 000000007ef81474
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000076b00101 5 bytes JMP 000000007ef81496
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000076b005e2 5 bytes JMP 000000007ef81694
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!GetDesktopWindow 0000000076b00a41 9 bytes JMP 000000007ef81584
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076b00e23 5 bytes JMP 000000007ef818d6
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076b012cd 5 bytes JMP 000000007ef816d8
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076b027a7 5 bytes JMP 000000007ef815a6
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076b0393d 5 bytes JMP 000000007ef8193c
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000076b0399a 5 bytes JMP 000000007ef814b8
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!GetDCEx 0000000076b03bf9 5 bytes JMP 000000007ef81562
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076b0471b 5 bytes JMP 000000007ef814fc
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000076b047ed 5 bytes JMP 000000007ef815c8
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076b04bc4 5 bytes JMP 000000007ef816b6
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076b0564d 5 bytes JMP 0000000071264300
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!EnumDesktopWindows 0000000076b0702b 5 bytes JMP 000000007ef81430
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076b0704c 5 bytes JMP 000000007ef81672
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076b071e8 5 bytes JMP 000000007ef8182c
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076b07206 5 bytes JMP 000000007ef8171c
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076b0735d 5 bytes JMP 000000007ef813ca
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076b07d61 7 bytes JMP 000000007ef818f8
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b081fd 5 bytes JMP 000000007ef818b4
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076b08262 5 bytes JMP 000000007ef81782
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SetPropA 0000000076b08e24 5 bytes JMP 000000007ef817c6
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076b08f54 5 bytes JMP 000000007ef81892
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076b1f637 5 bytes JMP 0000000071264360
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000076b38e97 5 bytes JMP 000000007ef817a4
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076b39feb 5 bytes JMP 000000007ef8151e
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076b408af 5 bytes JMP 00000000712635c0
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076b56e35 5 bytes JMP 000000007ef81760
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076b57b34 5 bytes JMP 00000000712642d0
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!GetRawInputData 0000000076b58447 5 bytes JMP 000000007ef8162e
.text C:\Program Files (x86)\oCam\oCamTask.exe[4888] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000076b589c3 5 bytes JMP 000000007ef816fa
.text C:\Program Files\Bitdefender Agent\26.0.1.222\DiscoverySrv.exe[4944] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 0000000075b748db 5 bytes JMP 0000000000996e30
.text C:\Program Files\Bitdefender Agent\26.0.1.222\DiscoverySrv.exe[4944] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 0000000075b748f3 5 bytes JMP 0000000000996b90
.text C:\Program Files\Bitdefender Agent\26.0.1.222\DiscoverySrv.exe[4944] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075b74925 5 bytes JMP 0000000000996a90
.text C:\Program Files\Bitdefender Agent\26.0.1.222\DiscoverySrv.exe[4944] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000075b7499f 5 bytes JMP 0000000000996c70
.text C:\Program Files\Bitdefender Agent\26.0.1.222\DiscoverySrv.exe[4944] C:\Windows\syswow64\WINTRUST.dll!WinVerifyTrust 000000007783273a 5 bytes JMP 0000000000995da0
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077acbbb0 8 bytes JMP 0000000077c30ef1
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077acbc00 8 bytes JMP 0000000077c30b28
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077acbc20 8 bytes JMP 0000000077c302ca
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077acbcc0 8 bytes JMP 0000000077c30e58
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077acbd90 8 bytes JMP 0000000077c304fb
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077acbdb0 8 bytes JMP 0000000077c30660
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077acbdd0 8 bytes JMP 0000000077c30c5a
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077acbdf0 8 bytes JMP 0000000077c30000
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077acbed0 8 bytes JMP 0000000077c30462
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077acbef0 8 bytes JMP 0000000077c30561
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077acbf20 8 bytes JMP 0000000077c30990
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077acbf40 8 bytes JMP 0000000077c30066
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077acbf80 8 bytes JMP 0000000077c305c7
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077acbfd0 8 bytes JMP 0000000077c30f24
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077acc000 8 bytes JMP 0000000077c30330
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077acc010 8 bytes JMP 0000000077c303fc
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077acc050 8 bytes JMP 0000000077c30cc0
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077acc270 8 bytes JMP 0000000077c30b5b
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort 0000000077acc280 8 bytes JMP 0000000077c30b8e
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077acc380 8 bytes JMP 0000000077c30bc1
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCommitTransaction 0000000077acc400 8 bytes JMP 0000000077c30f8a
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077acc500 8 bytes JMP 0000000077c30ff0
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077acc550 8 bytes JMP 0000000077c302fd
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077acc5a0 8 bytes JMP 0000000077c31056
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077acc5b0 8 bytes JMP 0000000077c3042f
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTransaction 0000000077acc5e0 8 bytes JMP 0000000077c30e8b
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077acc600 8 bytes JMP 0000000077c30363
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077acc920 8 bytes JMP 0000000077c31023
.text C:\Windows\system32\svchost.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySystemEnvironmentValu