GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-01-29 01:58:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE4O 698,64GB Running: 0ch9myds.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pwriykow.sys ---- User code sections - GMER 2.0 ---- .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000149800440 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000149800430 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000149800450 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0xffffffffd2a9ee90} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 00000001498003b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000149800320 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000149800380 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000001498002e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000149800410 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000001498002d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000149800310 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000149800390 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 00000001498003c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000149800230 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0xffffffffd2a9e890} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000149800460 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000149800370 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 00000001498002f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000149800350 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000149800290 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000001498002b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 00000001498003a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000149800330 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0xffffffffd2a9e590} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 00000001498003e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000149800240 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 00000001498001e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000149800250 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0xffffffffd2a9e090} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000149800470 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000149800480 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000149800300 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000149800360 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 00000001498002a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000001498002c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000149800340 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000149800420 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000149800260 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000149800270 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 00000001498003d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0xffffffffd2a9db90} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 00000001498001f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000149800210 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000149800200 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 00000001498003f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000149800400 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000149800220 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000149800280 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000149800440 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000149800430 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000149800450 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0xffffffffd2a9ee90} .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 00000001498003b0 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000149800320 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000149800380 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000001498002e0 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000149800410 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000001498002d0 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000149800310 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000149800390 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 00000001498003c0 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000149800230 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0xffffffffd2a9e890} .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000149800460 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000149800370 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 00000001498002f0 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000149800350 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000149800290 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000001498002b0 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 00000001498003a0 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000149800330 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0xffffffffd2a9e590} .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 00000001498003e0 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000149800240 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 00000001498001e0 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000149800250 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0xffffffffd2a9e090} .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000149800470 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000149800480 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000149800300 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000149800360 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 00000001498002a0 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000001498002c0 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000149800340 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000149800420 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000149800260 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000149800270 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 00000001498003d0 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0xffffffffd2a9db90} .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 00000001498001f0 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000149800210 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000149800200 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 00000001498003f0 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000149800400 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000149800220 .text C:\Windows\system32\csrss.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000149800280 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000100040440 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000100040430 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000100040450 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0xffffffff892dee90} .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 00000001000403b0 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000100040320 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000100040380 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000001000402e0 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000100040410 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000001000402d0 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000100040310 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000100040390 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 00000001000403c0 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000100040230 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0xffffffff892de890} .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000100040460 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000100040370 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 00000001000402f0 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000100040350 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000100040290 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000001000402b0 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 00000001000403a0 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000100040330 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0xffffffff892de590} .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 00000001000403e0 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000100040240 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 00000001000401e0 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000100040250 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0xffffffff892de090} .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000100040470 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000100040480 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000100040300 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000100040360 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 00000001000402a0 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000001000402c0 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000100040340 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000100040420 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000100040260 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000100040270 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 00000001000403d0 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0xffffffff892ddb90} .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 00000001000401f0 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000100040210 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000100040200 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 00000001000403f0 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000100040400 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000100040220 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000100040280 .text C:\Windows\system32\winlogon.exe[696] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\services.exe[744] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\lsm.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0xffffffff8930ee90} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0xffffffff8930e890} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0xffffffff8930e590} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0xffffffff8930e090} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0xffffffff8930db90} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[856] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe[940] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\atiesrxx.exe[560] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[632] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\System32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\System32\svchost.exe[812] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files\IDT\WDM\STacSV64.exe[1068] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0xffffffff8930ee90} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0xffffffff8930e890} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0xffffffff8930e590} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0xffffffff8930e090} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0xffffffff8930db90} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\atieclxx.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\svchost.exe[1652] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075ae1401 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075ae1419 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075ae1431 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000075ae144a 2 bytes [AE, 75] .text ... * 9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000075ae14dd 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000075ae14f5 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000075ae150d 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075ae1525 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000075ae153d 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075ae1555 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000075ae156d 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075ae1585 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000075ae159d 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000075ae15b5 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000075ae15cd 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000075ae16b2 2 bytes [AE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1324] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000075ae16bd 2 bytes [AE, 75] .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\taskhost.exe[1340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075ae1401 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075ae1419 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075ae1431 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075ae144a 2 bytes [AE, 75] .text ... * 9 .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075ae14dd 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075ae14f5 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075ae150d 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075ae1525 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075ae153d 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075ae1555 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075ae156d 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075ae1585 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075ae159d 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075ae15b5 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075ae15cd 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075ae16b2 2 bytes [AE, 75] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[2172] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075ae16bd 2 bytes [AE, 75] .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\Explorer.EXE[2224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\Explorer.EXE[2224] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe[2356] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files\Topos\cFosSpeed\spd.exe[2496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\svchost.exe[2532] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2580] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[2648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2684] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2740] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 0000000076ec03b0 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\svchost.exe[2824] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files (x86)\UGS\UGSLicensing\lmgrd.exe[2860] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\UGS\UGSLicensing\lmgrd.exe[2948] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\UGS\UGSLicensing\ugslmd.exe[1464] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2904] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 000000010015075c .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001001503a4 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 0000000100150b14 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 0000000100150ecc .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 000000010015163c .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 0000000100151284 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4088] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files\Topos\cFosSpeed\cfosspeed.exe[1620] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files\Topos\cFosSpeed\cfosspeed.exe[1620] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Program Files\Topos\cFosSpeed\cfosspeed.exe[1620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Program Files\Topos\cFosSpeed\cfosspeed.exe[1620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Program Files\Topos\cFosSpeed\cfosspeed.exe[1620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Program Files\Topos\cFosSpeed\cfosspeed.exe[1620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Program Files\Topos\cFosSpeed\cfosspeed.exe[1620] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Program Files\Topos\cFosSpeed\cfosspeed.exe[1620] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Program Files\Topos\cFosSpeed\cfosspeed.exe[1620] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 000000007fff075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 000000007fff03a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 000000007fff0b14 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 000000007fff0ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 000000007fff163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 000000007fff1284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3420] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files\IDT\WDM\sttray64.exe[4032] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files\IDT\WDM\sttray64.exe[4032] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Program Files\IDT\WDM\sttray64.exe[4032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Program Files\IDT\WDM\sttray64.exe[4032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Program Files\IDT\WDM\sttray64.exe[4032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Program Files\IDT\WDM\sttray64.exe[4032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Program Files\IDT\WDM\sttray64.exe[4032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Program Files\IDT\WDM\sttray64.exe[4032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Program Files\IDT\WDM\sttray64.exe[4032] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 000000010018075c .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001001803a4 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 0000000100180b14 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 0000000100180ecc .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 000000010018163c .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 0000000100181284 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Windows\system32\SearchIndexer.exe[3944] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 000000010044075c .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001004403a4 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 0000000100440b14 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 0000000100440ecc .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 000000010044163c .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 0000000100441284 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[3476] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1252] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1252] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1252] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1252] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076147603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007614835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Power Soft\Freebie Notes\FreebieNotes.exe[2416] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007615f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3380] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076147603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007614835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007615f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2980] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100250600 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 000000010041075c .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001004103a4 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 0000000100410b14 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 0000000100410ecc .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 000000010041163c .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 0000000100411284 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[4020] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 00000001000d1014 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 00000001000d0804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 00000001000d0a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 00000001000d0c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 00000001000d0e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001000d01f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001000d03fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 00000001000d0600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613ee09 5 bytes JMP 00000001000e01f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143982 5 bytes JMP 00000001000e03fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076147603 5 bytes JMP 00000001000e0804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007614835c 5 bytes JMP 00000001000e0600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3868] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007615f52b 5 bytes JMP 00000001000e0a08 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613ee09 5 bytes JMP 00000001001401f8 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143982 5 bytes JMP 00000001001403fc .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076147603 5 bytes JMP 0000000100140804 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007614835c 5 bytes JMP 0000000100140600 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007615f52b 5 bytes JMP 0000000100140a08 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100151014 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100150c0c .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100150e10 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[1796] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613ee09 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143982 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076147603 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007614835c 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007615f52b 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 00000001000b1014 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 00000001000b0a08 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 00000001000b0c0c .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 00000001000b0e10 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075ae1401 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075ae1419 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075ae1431 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075ae144a 2 bytes [AE, 75] .text ... * 9 .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075ae14dd 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075ae14f5 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075ae150d 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075ae1525 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075ae153d 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075ae1555 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075ae156d 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075ae1585 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075ae159d 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075ae15b5 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075ae15cd 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075ae16b2 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075ae16bd 2 bytes [AE, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 00000001003d1014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 00000001003d0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 00000001003d0a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 00000001003d0c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 00000001003d0e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001003d01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001003d03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 00000001003d0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613ee09 5 bytes JMP 00000001003e01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143982 5 bytes JMP 00000001003e03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076147603 5 bytes JMP 00000001003e0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007614835c 5 bytes JMP 00000001003e0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4720] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007615f52b 5 bytes JMP 00000001003e0a08 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076147603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007614835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007615f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075ae1401 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075ae1419 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075ae1431 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075ae144a 2 bytes [AE, 75] .text ... * 9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075ae14dd 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075ae14f5 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075ae150d 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075ae1525 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075ae153d 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075ae1555 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075ae156d 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075ae1585 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075ae159d 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075ae15b5 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075ae15cd 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075ae16b2 2 bytes [AE, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4728] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075ae16bd 2 bytes [AE, 75] .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 00000001004b075c .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001004b03a4 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 00000001004b0b14 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 00000001004b0ecc .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 00000001004b163c .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 00000001004b1284 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Program Files\Opera x64\opera.exe[4236] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 000000010038075c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001003803a4 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 0000000100380b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 0000000100380ecc .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 000000010038163c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 0000000100381284 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 00000001001a075c .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001001a03a4 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 00000001001a0b14 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 00000001001a0ecc .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 00000001001a163c .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 00000001001a1284 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Windows\system32\SearchProtocolHost.exe[5092] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 00000001002f075c .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001002f03a4 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 00000001002f0b14 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 00000001002f0ecc .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 00000001002f163c .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 00000001002f1284 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[4780] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 00000001003f075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001003f03a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 00000001003f0b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 00000001003f0ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 00000001003f163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 00000001003f1284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4548] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 00000001002e075c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001002e03a4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 00000001002e0b14 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 00000001002e0ecc .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 00000001002e163c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 00000001002e1284 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[2076] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 000000010032075c .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001003203a4 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 0000000100320b14 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 0000000100320ecc .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 000000010032163c .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 0000000100321284 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[4180] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100091014 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100090c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100090e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613ee09 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143982 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076147603 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007614835c 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4164] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007615f52b 5 bytes JMP 00000001000a0a08 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 000000010041075c .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001004103a4 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 0000000100410b14 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 0000000100410ecc .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 000000010041163c .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 0000000100411284 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Windows\system32\wbem\wmiprvse.exe[4908] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613ee09 5 bytes JMP 00000001002d01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143982 5 bytes JMP 00000001002d03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076147603 5 bytes JMP 00000001002d0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007614835c 5 bytes JMP 00000001002d0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4216] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007615f52b 5 bytes JMP 00000001002d0a08 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 000000010019075c .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001001903a4 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 0000000100190b14 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 0000000100190ecc .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 000000010019163c .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 0000000100191284 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Windows\System32\svchost.exe[6076] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 00000001001d1014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 00000001001d0c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 00000001001d0e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613ee09 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143982 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076147603 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007614835c 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007615f52b 5 bytes JMP 00000001001e0a08 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 00000001003e075c .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001003e03a4 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d613c0 5 bytes JMP 0000000076ec0440 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d61410 5 bytes JMP 0000000076ec0430 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 00000001003e0b14 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 00000001003e0ecc .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d615c0 1 byte JMP 0000000076ec0450 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 00000001003e163c .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d61680 5 bytes JMP 0000000076ec0320 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d616b0 5 bytes JMP 0000000076ec0380 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d61710 5 bytes JMP 0000000076ec02e0 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d61760 5 bytes JMP 0000000076ec0410 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d61790 5 bytes JMP 0000000076ec02d0 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d617b0 5 bytes JMP 0000000076ec0310 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d617f0 5 bytes JMP 0000000076ec0390 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 00000001003e1284 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d61840 5 bytes JMP 0000000076ec03c0 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d619a0 1 byte JMP 0000000076ec0230 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d61b60 5 bytes JMP 0000000076ec0460 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d61b90 5 bytes JMP 0000000076ec0370 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d61c70 5 bytes JMP 0000000076ec02f0 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d61c80 5 bytes JMP 0000000076ec0350 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d61ce0 5 bytes JMP 0000000076ec0290 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d61d70 5 bytes JMP 0000000076ec02b0 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d61d90 5 bytes JMP 0000000076ec03a0 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d61da0 1 byte JMP 0000000076ec0330 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d61da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d61e10 5 bytes JMP 0000000076ec03e0 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d61e40 5 bytes JMP 0000000076ec0240 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d62100 5 bytes JMP 0000000076ec01e0 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d621c0 1 byte JMP 0000000076ec0250 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d621f0 5 bytes JMP 0000000076ec0470 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d62200 5 bytes JMP 0000000076ec0480 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d62230 5 bytes JMP 0000000076ec0300 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d62240 5 bytes JMP 0000000076ec0360 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d622a0 5 bytes JMP 0000000076ec02a0 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d622f0 5 bytes JMP 0000000076ec02c0 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d62330 5 bytes JMP 0000000076ec0340 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d62620 5 bytes JMP 0000000076ec0420 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d62820 5 bytes JMP 0000000076ec0260 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d62830 5 bytes JMP 0000000076ec0270 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d62840 1 byte JMP 0000000076ec03d0 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d62842 3 bytes {JMP 0x15db90} .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d62a00 5 bytes JMP 0000000076ec01f0 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d62a10 5 bytes JMP 0000000076ec0210 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d62a80 5 bytes JMP 0000000076ec0200 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d62ae0 5 bytes JMP 0000000076ec03f0 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d62af0 5 bytes JMP 0000000076ec0400 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d62b00 5 bytes JMP 0000000076ec0220 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d62be0 5 bytes JMP 0000000076ec0280 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[5204] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d33ae0 5 bytes JMP 000000010039075c .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d37a90 5 bytes JMP 00000001003903a4 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d61490 5 bytes JMP 0000000100390b14 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d614f0 5 bytes JMP 0000000100390ecc .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d615d0 5 bytes JMP 000000010039163c .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d61810 5 bytes JMP 0000000100391284 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076aeeecd 1 byte [62] .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd7f6e00 5 bytes JMP 000007ff7d811dac .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd7f6f2c 5 bytes JMP 000007ff7d810ecc .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd7f7220 5 bytes JMP 000007ff7d811284 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd7f739c 5 bytes JMP 000007ff7d81163c .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd7f7538 5 bytes JMP 000007ff7d8119f4 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7f75e8 5 bytes JMP 000007ff7d8103a4 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd7f790c 5 bytes JMP 000007ff7d81075c .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[1876] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd7f7ab4 5 bytes JMP 000007ff7d810b14 .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f0faa0 5 bytes JMP 0000000100030600 .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f0fb38 5 bytes JMP 0000000100030804 .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f0fc90 5 bytes JMP 0000000100030c0c .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f10018 5 bytes JMP 0000000100030a08 .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f2c45a 5 bytes JMP 00000001000301f8 .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f31217 5 bytes JMP 00000001000303fc .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075605181 5 bytes JMP 0000000100241014 .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075605254 5 bytes JMP 0000000100240804 .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000756053d5 5 bytes JMP 0000000100240a08 .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000756054c2 5 bytes JMP 0000000100240c0c .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000756055e2 5 bytes JMP 0000000100240e10 .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007560567c 5 bytes JMP 00000001002401f8 .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007560589f 5 bytes JMP 00000001002403fc .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075605a22 5 bytes JMP 0000000100240600 .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007613ee09 5 bytes JMP 00000001002501f8 .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076143982 5 bytes JMP 00000001002503fc .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076147603 5 bytes JMP 0000000100250804 .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007614835c 5 bytes JMP 0000000100250600 .text C:\Users\Mateusz\Desktop\0ch9myds.exe[3224] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007615f52b 5 bytes JMP 0000000100250a08 ---- Threads - GMER 2.0 ---- Thread C:\Windows\System32\svchost.exe [6076:2468] 000007fee7e89688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5772:1196] 000007fefee20168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5772:4444] 000007fefb642a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5772:5736] 000007fee822d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5772:6000] 000007fef7955124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5772:4980] 000007fee81c9730 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5772:4328] 000007fee822d618 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158311608a Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ec55f9d1d1ff Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ec55f9d1d1ff@00126f238bb7 0xC9 0xBE 0x03 0x99 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158311608a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ec55f9d1d1ff (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ec55f9d1d1ff@00126f238bb7 0xC9 0xBE 0x03 0x99 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6ECEC903-994D-C131-E080-EC1929C6D6C7} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6ECEC903-994D-C131-E080-EC1929C6D6C7}@ialhmgaehniipibffe 0x6A 0x61 0x70 0x6F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6ECEC903-994D-C131-E080-EC1929C6D6C7}@habikcajglejgejb 0x6A 0x61 0x70 0x6F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D19200B7-0221-898C-F7D0-F205018DAC4E} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D19200B7-0221-898C-F7D0-F205018DAC4E}@iaadlflamcdaokgaak 0x6A 0x61 0x65 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D19200B7-0221-898C-F7D0-F205018DAC4E}@hagdfdpfhhkfndmh 0x6B 0x61 0x64 0x61 ... ---- Files - GMER 2.0 ---- File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00378.log 1048576 bytes File C:\Users\Mateusz\Desktop\PR1-02.00.bak 461505 bytes ---- EOF - GMER 2.0 ----