GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-01 13:33:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0005HPM1 465,76GB Running: i2h0ge6b.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\pxldrpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000100040440 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000100040430 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000100040450 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0xffffffff8925ee90} .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 00000001000403b0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000100040320 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000100040380 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 00000001000402e0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000100040410 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 00000001000402d0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000100040310 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000100040390 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 00000001000403c0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000100040230 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0xffffffff8925e890} .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000100040460 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000100040370 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 00000001000402f0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000100040350 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000100040290 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 00000001000402b0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 00000001000403a0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000100040330 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0xffffffff8925e590} .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 00000001000403e0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000100040240 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 00000001000401e0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000100040250 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0xffffffff8925e090} .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000100040470 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000100040480 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000100040300 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000100040360 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 00000001000402a0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 00000001000402c0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000100040340 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000100040420 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000100040260 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000100040270 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 00000001000403d0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0xffffffff8925db90} .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 00000001000401f0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000100040210 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000100040200 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 00000001000403f0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000100040400 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000100040220 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000100040280 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\wininit.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\wininit.exe[508] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 000000014a3a0440 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 000000014a3a0430 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 000000014a3a0450 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0xffffffffd35bee90} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 000000014a3a03b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 000000014a3a0320 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 000000014a3a0380 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 000000014a3a02e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 000000014a3a0410 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 000000014a3a02d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 000000014a3a0310 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 000000014a3a0390 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 000000014a3a03c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 000000014a3a0230 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0xffffffffd35be890} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 000000014a3a0460 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 000000014a3a0370 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 000000014a3a02f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 000000014a3a0350 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 000000014a3a0290 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 000000014a3a02b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 000000014a3a03a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 000000014a3a0330 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0xffffffffd35be590} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 000000014a3a03e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 000000014a3a0240 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 000000014a3a01e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 000000014a3a0250 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0xffffffffd35be090} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 000000014a3a0470 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 000000014a3a0480 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 000000014a3a0300 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 000000014a3a0360 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 000000014a3a02a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 000000014a3a02c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 000000014a3a0340 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 000000014a3a0420 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 000000014a3a0260 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 000000014a3a0270 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 000000014a3a03d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0xffffffffd35bdb90} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 000000014a3a01f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 000000014a3a0210 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 000000014a3a0200 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 000000014a3a03f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 000000014a3a0400 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 000000014a3a0220 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 000000014a3a0280 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\services.exe[564] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\winlogon.exe[620] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\lsass.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\lsm.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0xffffffff8928ee90} .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0xffffffff8928e890} .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0xffffffff8928e590} .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0xffffffff8928e090} .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0xffffffff8928db90} .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[788] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\atiesrxx.exe[940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\System32\svchost.exe[112] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\System32\svchost.exe[360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\System32\svchost.exe[360] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\svchost.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\svchost.exe[520] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\STacSV64.exe[712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\AUDIODG.EXE[1084] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\atieclxx.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\svchost.exe[1660] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[1868] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076281465 2 bytes [28, 76] .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762814bb 2 bytes [28, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1396] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 0000000076f403b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2052] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\ProgramData\DatacardService\DCService.exe[2088] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2172] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001000f01f8 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001000f03fc .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 00000001000f0804 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 00000001000f0600 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 00000001000f0a08 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2436] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100100600 .text C:\Windows\system32\svchost.exe[2468] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2468] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\system32\svchost.exe[2468] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\system32\svchost.exe[2468] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\system32\svchost.exe[2468] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\system32\svchost.exe[2468] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\system32\svchost.exe[2468] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\system32\svchost.exe[2468] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\system32\svchost.exe[2468] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 000000010015075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001001503a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 0000000100150b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 0000000100150ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 000000010015163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 0000000100151284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2544] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2688] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Windows\system32\svchost.exe[2976] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\system32\svchost.exe[2976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\system32\svchost.exe[2976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\system32\svchost.exe[2976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\system32\svchost.exe[2976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\system32\svchost.exe[2976] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\system32\svchost.exe[2976] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\system32\svchost.exe[2976] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Windows\System32\WUDFHost.exe[2420] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\System32\WUDFHost.exe[2420] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\System32\WUDFHost.exe[2420] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\System32\WUDFHost.exe[2420] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\System32\WUDFHost.exe[2420] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\System32\WUDFHost.exe[2420] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\System32\WUDFHost.exe[2420] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\System32\WUDFHost.exe[2420] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 00000001002e075c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001002e03a4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 00000001002e0b14 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 00000001002e0ecc .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 00000001002e163c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 00000001002e1284 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1780] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 000000010014075c .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001001403a4 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 0000000100140b14 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 0000000100140ecc .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 000000010014163c .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 0000000100141284 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\System32\svchost.exe[2884] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 000000010045075c .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001004503a4 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 0000000100450b14 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 0000000100450ecc .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 000000010045163c .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 0000000100451284 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\system32\SearchIndexer.exe[1324] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 00000001002b075c .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001002b03a4 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 00000001002b0b14 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 00000001002b0ecc .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0xffffffff8928ee90} .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 00000001002b163c .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 00000001002b1284 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0xffffffff8928e890} .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0xffffffff8928e590} .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0xffffffff8928e090} .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0xffffffff8928db90} .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\system32\svchost.exe[2860] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Windows\system32\wbem\wmiprvse.exe[2556] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\system32\wbem\wmiprvse.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\system32\wbem\wmiprvse.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\system32\wbem\wmiprvse.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[2556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[2556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\system32\wbem\wmiprvse.exe[2556] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 00000001001c075c .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 00000001001c163c .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\system32\taskhost.exe[3248] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 000000010036075c .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001003603a4 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 0000000100360b14 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 0000000100360ecc .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 000000010036163c .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 0000000100361284 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\system32\taskeng.exe[3320] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 000000010029075c .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001002903a4 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 0000000100290b14 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 0000000100290ecc .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 000000010029163c .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 0000000100291284 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\system32\Dwm.exe[3420] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 00000001001d075c .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001001d03a4 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 00000001001d0b14 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 00000001001d0ecc .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 00000001001d163c .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 00000001001d1284 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\Explorer.EXE[3516] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\Explorer.EXE[3516] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100030600 .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100030804 .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100030c0c .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100030a08 .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001000301f8 .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001000303fc .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001002401f8 .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001002403fc .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 0000000100240804 .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 0000000100240600 .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 0000000100240a08 .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100251014 .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100250804 .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100250a08 .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100250c0c .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100250e10 .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001002501f8 .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001002503fc .text C:\ProgramData\DatacardService\DCSHelper.exe[3688] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100250600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 000000010035075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001003503a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 0000000100350b14 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 0000000100350ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 000000010035163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 0000000100351284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3792] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 00000001003a075c .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001003a03a4 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 00000001003a0b14 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 00000001003a0ecc .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 00000001003a163c .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 00000001003a1284 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe[3800] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Program Files\Java\jre6\bin\jusched.exe[3888] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Program Files\Java\jre6\bin\jusched.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Program Files\Java\jre6\bin\jusched.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Program Files\Java\jre6\bin\jusched.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Program Files\Java\jre6\bin\jusched.exe[3888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Program Files\Java\jre6\bin\jusched.exe[3888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Program Files\Java\jre6\bin\jusched.exe[3888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Program Files\Java\jre6\bin\jusched.exe[3888] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 00000001001e075c .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001001e03a4 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 00000001001e0b14 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 00000001001e0ecc .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 00000001001e163c .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 00000001001e1284 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\WindowsMobile\wmdc.exe[3896] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 000000010021075c .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001002103a4 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 0000000100210b14 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 0000000100210ecc .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 000000010021163c .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 0000000100211284 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Program Files\IDT\WDM\sttray64.exe[4016] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[4024] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[4024] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[4024] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 000000010033075c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001003303a4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 0000000100330b14 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 0000000100330ecc .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 000000010033163c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 0000000100331284 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4032] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 00000001003c075c .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001003c03a4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 00000001003c0b14 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 00000001003c0ecc .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 00000001003c163c .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 00000001003c1284 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3204] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3280] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3280] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3280] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3280] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3280] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3280] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3280] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001001401f8 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3280] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001001403fc .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 0000000100140804 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 0000000100140600 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3280] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 0000000100140a08 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076281465 2 bytes [28, 76] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762814bb 2 bytes [28, 76] .text ... * 2 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!GetSysColor 0000000075b46c3c 5 bytes JMP 00000001002fb9c0 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001002901f8 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!GetSysColorBrush 0000000075b535a4 5 bytes JMP 00000001002fba20 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001002903fc .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!GetScrollInfo 0000000075b54018 7 bytes JMP 00000001002fb800 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!SetScrollInfo 0000000075b540cf 7 bytes JMP 00000001002fb8b0 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!ShowScrollBar 0000000075b54162 5 bytes JMP 00000001002fb980 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!GetScrollPos 0000000075b54234 5 bytes JMP 00000001002fb840 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 0000000100290804 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 0000000100290600 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!SetScrollPos 0000000075b587a5 5 bytes JMP 00000001002fb8f0 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!EnableScrollBar 0000000075b58d3a 7 bytes JMP 00000001002fb7c0 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!GetScrollRange 0000000075b590c4 5 bytes JMP 00000001002fb870 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!SetScrollRange 0000000075b6d50b 5 bytes JMP 00000001002fb930 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 0000000100290a08 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 00000001002a1014 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 00000001002a0804 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 00000001002a0a08 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 00000001002a0c0c .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 00000001002a0e10 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001002a01f8 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001002a03fc .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 00000001002a0600 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076281465 2 bytes [28, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[3412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762814bb 2 bytes [28, 76] .text ... * 2 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[2500] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 00000001003b075c .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001003b03a4 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 00000001003b0b14 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 00000001003b0ecc .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 00000001003b163c .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 00000001003b1284 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[3848] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 00000001001d1014 .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 00000001001d0c0c .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 00000001001d0e10 .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe[3852] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 00000001001e0a08 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3512] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 00000001001e1014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 00000001001e0a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 00000001001e0c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 00000001001e0e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001001f01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001001f03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 00000001001f0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 00000001001f0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 00000001001f0a08 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 00000001002f075c .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001002f03a4 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000076f40440 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000076f40430 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 00000001002f0b14 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 00000001002f0ecc .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000076f40450 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 00000001002f163c .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000076f40320 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000076f40380 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 0000000076f402e0 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000076f40410 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 0000000076f402d0 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000076f40310 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000076f40390 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 00000001002f1284 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 0000000076f403c0 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000076f40230 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000076f40460 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000076f40370 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 0000000076f402f0 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000076f40350 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000076f40290 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 0000000076f402b0 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 0000000076f403a0 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000076f40330 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 0000000076f403e0 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000076f40240 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 0000000076f401e0 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000076f40250 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000076f40470 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000076f40480 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000076f40300 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000076f40360 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 0000000076f402a0 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 0000000076f402c0 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000076f40340 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000076f40420 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000076f40260 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000076f40270 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 0000000076f403d0 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0x15db90} .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 0000000076f401f0 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000076f40210 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000076f40200 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 0000000076f403f0 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000076f40400 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000076f40220 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000076f40280 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Program Files\DigitalPersona\Bin\DPAgent.exe[4108] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 000000010034075c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001003403a4 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000100210440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000100210430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 0000000100340b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 0000000100340ecc .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000100210450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0xffffffff8942ee90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 000000010034163c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000100210320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000100210380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 00000001002102e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000100210410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 00000001002102d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000100210310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000100210390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 0000000100341284 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 00000001002103c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000100210230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0xffffffff8942e890} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000100210460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000100210370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 00000001002102f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000100210350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000100210290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 00000001002102b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 00000001002103a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000100210330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0xffffffff8942e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 00000001002103e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000100210240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 00000001002101e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000100210250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0xffffffff8942e090} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000100210470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000100210480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000100210300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000100210360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 00000001002102a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 00000001002102c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000100210340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000100210420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000100210260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000100210270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 00000001002103d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0xffffffff8942db90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 00000001002101f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000100210210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000100210200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 00000001002103f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000100210400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000100210220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000100210280 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076281465 2 bytes [28, 76] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762814bb 2 bytes [28, 76] .text ... * 2 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076db3ae0 5 bytes JMP 00000001003a075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076db7a90 5 bytes JMP 00000001003a03a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de13c0 5 bytes JMP 0000000100060440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de1410 5 bytes JMP 0000000100060430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076de1490 5 bytes JMP 00000001003a0b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076de14f0 5 bytes JMP 00000001003a0ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de15c0 1 byte JMP 0000000100060450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076de15c2 3 bytes {JMP 0xffffffff8927ee90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de15d0 5 bytes JMP 00000001003a163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1680 5 bytes JMP 0000000100060320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de16b0 5 bytes JMP 0000000100060380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de1710 5 bytes JMP 00000001000602e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076de1760 5 bytes JMP 0000000100060410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1790 5 bytes JMP 00000001000602d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de17b0 5 bytes JMP 0000000100060310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de17f0 5 bytes JMP 0000000100060390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076de1810 5 bytes JMP 00000001003a1284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de1840 5 bytes JMP 00000001000603c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de19a0 1 byte JMP 0000000100060230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076de19a2 3 bytes {JMP 0xffffffff8927e890} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b60 5 bytes JMP 0000000100060460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b90 5 bytes JMP 0000000100060370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c70 5 bytes JMP 00000001000602f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c80 5 bytes JMP 0000000100060350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1ce0 5 bytes JMP 0000000100060290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d70 5 bytes JMP 00000001000602b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d90 5 bytes JMP 00000001000603a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1da0 1 byte JMP 0000000100060330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076de1da2 3 bytes {JMP 0xffffffff8927e590} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1e10 5 bytes JMP 00000001000603e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1e40 5 bytes JMP 0000000100060240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de2100 5 bytes JMP 00000001000601e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de21c0 1 byte JMP 0000000100060250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076de21c2 3 bytes {JMP 0xffffffff8927e090} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de21f0 5 bytes JMP 0000000100060470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de2200 5 bytes JMP 0000000100060480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de2230 5 bytes JMP 0000000100060300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de2240 5 bytes JMP 0000000100060360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de22a0 5 bytes JMP 00000001000602a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de22f0 5 bytes JMP 00000001000602c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de2330 5 bytes JMP 0000000100060340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de2620 5 bytes JMP 0000000100060420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de2820 5 bytes JMP 0000000100060260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de2830 5 bytes JMP 0000000100060270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de2840 1 byte JMP 00000001000603d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076de2842 3 bytes {JMP 0xffffffff8927db90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de2a00 5 bytes JMP 00000001000601f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de2a10 5 bytes JMP 0000000100060210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a80 5 bytes JMP 0000000100060200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2ae0 5 bytes JMP 00000001000603f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2af0 5 bytes JMP 0000000100060400 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2b00 5 bytes JMP 0000000100060220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2be0 5 bytes JMP 0000000100060280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007680eecd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4660] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[4776] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[5048] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001001401f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001001403fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 0000000100140804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 0000000100140600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 0000000100140a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100151014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100150c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100150e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076281465 2 bytes [28, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762814bb 2 bytes [28, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [5244] entry point in ".rdata" section 00000000713671e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f8f991 7 bytes {MOV EDX, 0x4e1228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 00000001006b0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 00000001006b0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f8fbd5 7 bytes {MOV EDX, 0x4e1268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f8fc05 7 bytes {MOV EDX, 0x4e11a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f8fc1d 7 bytes {MOV EDX, 0x4e1128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f8fc35 7 bytes {MOV EDX, 0x4e1328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f8fc65 7 bytes {MOV EDX, 0x4e1368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 00000001006b0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f8fce5 7 bytes {MOV EDX, 0x4e12e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f8fcfd 7 bytes {MOV EDX, 0x4e12a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f8fd49 7 bytes {MOV EDX, 0x4e1068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f8fe41 7 bytes {MOV EDX, 0x4e10a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 00000001006b0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f90099 7 bytes {MOV EDX, 0x4e1028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f910a5 7 bytes {MOV EDX, 0x4e11e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f9111d 7 bytes {MOV EDX, 0x4e1168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f91321 7 bytes {MOV EDX, 0x4e10e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001006b01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001006b03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001007001f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001007003fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 0000000100700804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 0000000100700600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 0000000100700a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100711014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100710804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100710a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100710c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100710e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001007101f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001007103fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100710600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076281465 2 bytes [28, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762814bb 2 bytes [28, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f8f991 3 bytes [BA, 28, 4E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 9 0000000076f8f995 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100780600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100780804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f8fbd5 3 bytes [BA, 68, 4E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 9 0000000076f8fbd9 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f8fc05 3 bytes [BA, A8, 4D] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 9 0000000076f8fc09 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f8fc1d 3 bytes [BA, 28, 4D] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 9 0000000076f8fc21 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f8fc35 3 bytes [BA, 28, 4F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 9 0000000076f8fc39 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f8fc65 3 bytes [BA, 68, 4F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 9 0000000076f8fc69 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100780c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f8fce5 3 bytes [BA, E8, 4E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 9 0000000076f8fce9 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f8fcfd 3 bytes [BA, A8, 4E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 9 0000000076f8fd01 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f8fd49 3 bytes [BA, 68, 4C] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 9 0000000076f8fd4d 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f8fe41 3 bytes [BA, A8, 4C] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 9 0000000076f8fe45 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100780a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f90099 3 bytes [BA, 28, 4C] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 9 0000000076f9009d 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f910a5 3 bytes [BA, E8, 4D] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 9 0000000076f910a9 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f9111d 3 bytes [BA, 68, 4D] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 9 0000000076f91121 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f91321 3 bytes [BA, E8, 4C] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 9 0000000076f91325 3 bytes [00, FF, E2] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001007801f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001007803fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001007901f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001007903fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 0000000100790804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 0000000100790600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 0000000100790a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 00000001007a1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 00000001007a0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 00000001007a0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 00000001007a0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 3 bytes JMP 00000001007a0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 4 00000000762955e6 1 byte [8A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001007a01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001007a03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 00000001007a0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076281465 2 bytes [28, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762814bb 2 bytes [28, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe986e00 5 bytes JMP 000007ff7e9a1dac .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe986f2c 5 bytes JMP 000007ff7e9a0ecc .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe987220 5 bytes JMP 000007ff7e9a1284 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe98739c 5 bytes JMP 000007ff7e9a163c .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe987538 5 bytes JMP 000007ff7e9a19f4 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe9875e8 5 bytes JMP 000007ff7e9a03a4 .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe98790c 5 bytes JMP 000007ff7e9a075c .text C:\Windows\system32\svchost.exe[1916] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe987ab4 5 bytes JMP 000007ff7e9a0b14 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 00000001003d1014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 00000001003d0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 00000001003d0a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 00000001003d0c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 00000001003d0e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001003d01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001003d03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 00000001003d0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001003e01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001003e03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 00000001003e0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 00000001003e0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 00000001003e0a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076281465 2 bytes [28, 76] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762814bb 2 bytes [28, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f8f991 7 bytes {MOV EDX, 0x147228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 00000001001f0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 00000001001f0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f8fbd5 7 bytes {MOV EDX, 0x147268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f8fc05 7 bytes {MOV EDX, 0x1471a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f8fc1d 7 bytes {MOV EDX, 0x147128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f8fc35 7 bytes {MOV EDX, 0x147328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f8fc65 7 bytes {MOV EDX, 0x147368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 00000001001f0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f8fce5 7 bytes {MOV EDX, 0x1472e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f8fcfd 7 bytes {MOV EDX, 0x1472a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f8fd49 7 bytes {MOV EDX, 0x147068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f8fe41 7 bytes {MOV EDX, 0x1470a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 00000001001f0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f90099 7 bytes {MOV EDX, 0x147028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f910a5 7 bytes {MOV EDX, 0x1471e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f9111d 7 bytes {MOV EDX, 0x147168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f91321 7 bytes {MOV EDX, 0x1470e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001001f01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001001f03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001002001f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001002003fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 0000000100200804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 0000000100200600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 0000000100200a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 00000001002c1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 00000001002c0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 00000001002c0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 00000001002c0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 00000001002c0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001002c01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001002c03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 00000001002c0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076281465 2 bytes [28, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762814bb 2 bytes [28, 76] .text ... * 2 .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f8faa0 5 bytes JMP 0000000100030600 .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f8fb38 5 bytes JMP 0000000100030804 .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f8fc90 5 bytes JMP 0000000100030c0c .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f90018 5 bytes JMP 0000000100030a08 .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076fac45a 5 bytes JMP 00000001000301f8 .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076fb1217 5 bytes JMP 00000001000303fc .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000746ea30a 1 byte [62] .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076295181 5 bytes JMP 0000000100241014 .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076295254 5 bytes JMP 0000000100240804 .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762953d5 5 bytes JMP 0000000100240a08 .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762954c2 5 bytes JMP 0000000100240c0c .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762955e2 5 bytes JMP 0000000100240e10 .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007629567c 5 bytes JMP 00000001002401f8 .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007629589f 5 bytes JMP 00000001002403fc .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076295a22 5 bytes JMP 0000000100240600 .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b4ee09 5 bytes JMP 00000001002501f8 .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b53982 5 bytes JMP 00000001002503fc .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b57603 5 bytes JMP 0000000100250804 .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b5835c 5 bytes JMP 0000000100250600 .text C:\Users\Marcin\Downloads\i2h0ge6b.exe[2520] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b6f52b 5 bytes JMP 0000000100250a08 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [2884:3136] 000007fef3cb9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002713391da9 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002713391da9@00247c9bba50 0xDC 0x23 0x93 0xFE ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002713391da9@9ccad9c824e8 0xD7 0x1B 0x89 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002713391da9@b4629320bbad 0x22 0x9F 0x32 0x5D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002713391da9 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002713391da9@00247c9bba50 0xDC 0x23 0x93 0xFE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002713391da9@9ccad9c824e8 0xD7 0x1B 0x89 0x8F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002713391da9@b4629320bbad 0x22 0x9F 0x32 0x5D ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----