GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-27 19:44:42 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\00000061 WDC_WD32 rev.02.0 298.09GB Running: rdjp16ye.exe; Driver: C:\Users\Weak\AppData\Local\Temp\kwldqpoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000149dc0460 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000149dc0450 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000149dc0370 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000149dc0470 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 0000000149dc03e0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000149dc0320 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 0000000149dc03b0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000149dc0390 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 0000000149dc02e0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0xffffffffd2f00190} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 0000000149dc02d0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000149dc0310 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 0000000149dc03c0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0xffffffffd2f00190} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 0000000149dc03f0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000149dc0230 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000149dc0480 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 0000000149dc03a0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 0000000149dc02f0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000149dc0350 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0xffffffffd2effc90} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000149dc0290 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 0000000149dc02b0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 0000000149dc03d0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000149dc0330 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000149dc0410 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000149dc0240 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 0000000149dc01e0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000149dc0250 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000149dc0490 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 0000000149dc04a0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000149dc0300 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0xffffffffd2eff690} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000149dc0360 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 0000000149dc02a0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 0000000149dc02c0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0xffffffffd2eff590} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000149dc0380 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000149dc0340 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000149dc0440 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000149dc0260 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000149dc0270 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000149dc0400 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 0000000149dc01f0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000149dc0210 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000149dc0200 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000149dc0420 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000149dc0430 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000149dc0220 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000149dc0280 .text C:\Windows\system32\wininit.exe[524] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000149dc0460 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000149dc0450 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000149dc0370 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000149dc0470 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 0000000149dc03e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000149dc0320 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 0000000149dc03b0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000149dc0390 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 0000000149dc02e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0xffffffffd2f00190} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 0000000149dc02d0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000149dc0310 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 0000000149dc03c0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0xffffffffd2f00190} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 0000000149dc03f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000149dc0230 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000149dc0480 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 0000000149dc03a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 0000000149dc02f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000149dc0350 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0xffffffffd2effc90} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000149dc0290 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 0000000149dc02b0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 0000000149dc03d0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000149dc0330 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000149dc0410 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000149dc0240 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 0000000149dc01e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000149dc0250 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000149dc0490 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 0000000149dc04a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000149dc0300 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0xffffffffd2eff690} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000149dc0360 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 0000000149dc02a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 0000000149dc02c0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0xffffffffd2eff590} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000149dc0380 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000149dc0340 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000149dc0440 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000149dc0260 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000149dc0270 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000149dc0400 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 0000000149dc01f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000149dc0210 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000149dc0200 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000149dc0420 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000149dc0430 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000149dc0220 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000149dc0280 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\services.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\lsass.exe[596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0xffffffff891b0190} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0xffffffff891b0190} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0xffffffff891afc90} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0xffffffff891af690} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0xffffffff891af590} .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[748] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\System32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\System32\svchost.exe[984] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\System32\svchost.exe[112] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\svchost.exe[436] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\WLANExt.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\System32\spoolsv.exe[1492] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\taskhost.exe[1604] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\Dwm.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\Explorer.EXE[1692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\Explorer.EXE[1692] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\svchost.exe[1772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\svchost.exe[1872] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077021401 2 bytes JMP 7594eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077021419 2 bytes JMP 7595b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077021431 2 bytes JMP 759d8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007702144a 2 bytes CALL 75931dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770214dd 2 bytes JMP 759d7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770214f5 2 bytes JMP 759d80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007702150d 2 bytes JMP 759d7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077021525 2 bytes JMP 759d81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007702153d 2 bytes JMP 7594f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077021555 2 bytes JMP 7595b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007702156d 2 bytes JMP 759d86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077021585 2 bytes JMP 759d8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007702159d 2 bytes JMP 759d7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770215b5 2 bytes JMP 7594f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770215cd 2 bytes JMP 7595b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770216b2 2 bytes JMP 759d8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770216bd 2 bytes JMP 759d7d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe[1892] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe[2080] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Program Files (x86)\Norton Internet Security\Engine\18.0.0.128\ccSvcHst.exe[2128] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2468] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\18.0.0.128\InstStub.exe[2484] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2528] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0xffffffff891b0190} .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0xffffffff891b0190} .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0xffffffff891afc90} .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0xffffffff891af690} .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0xffffffff891af590} .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[2868] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2988] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000100070460 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000100070450 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000100070470 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000100070320 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000100070390 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000001000702e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0xffffffff891b0190} .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000001000703c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0xffffffff891b0190} .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000100070350 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0xffffffff891afc90} .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000100070290 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000100070410 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000100070240 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000100070250 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000100070490 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000100070300 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0xffffffff891af690} .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000100070360 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0xffffffff891af590} .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000100070380 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000100070340 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000100070440 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000100070260 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000100070270 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000100070400 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000100070210 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000100070420 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000100070430 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000100070220 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000100070280 .text C:\Windows\system32\wbem\wmiprvse.exe[2284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2368] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\SearchIndexer.exe[3096] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3780] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3864] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe[3420] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe[3604] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\wbem\wmiprvse.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 000000007593d03c 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077021401 2 bytes JMP 7594eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077021419 2 bytes JMP 7595b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077021431 2 bytes JMP 759d8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007702144a 2 bytes CALL 75931dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770214dd 2 bytes JMP 759d7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770214f5 2 bytes JMP 759d80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007702150d 2 bytes JMP 759d7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077021525 2 bytes JMP 759d81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007702153d 2 bytes JMP 7594f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077021555 2 bytes JMP 7595b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007702156d 2 bytes JMP 759d86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077021585 2 bytes JMP 759d8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007702159d 2 bytes JMP 759d7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770215b5 2 bytes JMP 7594f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770215cd 2 bytes JMP 7595b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770216b2 2 bytes JMP 759d8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770216bd 2 bytes JMP 759d7d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3892] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Program Files (x86)\BrownyInd\Brother\BrIndicator.exe[992] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4100] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4112] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\System32\svchost.exe[4192] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4404] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4488] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\wbem\unsecapp.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\DllHost.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000100240460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000100240450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000100240370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000100240470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000001002403e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000100240320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000001002403b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000100240390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000001002402e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0xffffffff89380190} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000001002402d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000100240310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000001002403c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0xffffffff89380190} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000001002403f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000100240230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000100240480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000001002403a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000001002402f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000100240350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0xffffffff8937fc90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000100240290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000001002402b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000001002403d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000100240330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000100240410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000100240240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000001002401e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000100240250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000100240490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000001002404a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000100240300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0xffffffff8937f690} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000100240360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000001002402a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000001002402c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0xffffffff8937f590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000100240380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000100240340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000100240440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000100240260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000100240270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000100240400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000001002401f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000100240210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000100240200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000100240420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000100240430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000100240220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000100240280 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe[3748] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe[3816] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0xffffffff891b0190} .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0xffffffff891b0190} .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0xffffffff891afc90} .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0xffffffff891af690} .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0xffffffff891af590} .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000100070280 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000100170460 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000100170450 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000100170370 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000100170470 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000001001703e0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000100170320 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000001001703b0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000100170390 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000001001702e0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0xffffffff892b0190} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000001001702d0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000100170310 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000001001703c0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0xffffffff892b0190} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000001001703f0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000100170230 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000100170480 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000001001703a0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000001001702f0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000100170350 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0xffffffff892afc90} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000100170290 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000001001702b0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000001001703d0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000100170330 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000100170410 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000100170240 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000001001701e0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000100170250 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000100170490 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000001001704a0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000100170300 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0xffffffff892af690} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000100170360 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000001001702a0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000001001702c0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0xffffffff892af590} .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000100170380 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000100170340 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000100170440 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000100170260 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000100170270 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000100170400 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000001001701f0 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000100170210 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000100170200 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000100170420 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000100170430 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000100170220 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000100170280 .text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe[2844] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3400] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3400] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 0000000068ed11a8 2 bytes [ED, 68] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3400] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 0000000068ed127d 2 bytes CALL 759314dd C:\Windows\syswow64\kernel32.dll .text ... * 6 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3400] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 0000000068ed13a8 2 bytes [ED, 68] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3400] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000068ed1422 2 bytes [ED, 68] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3400] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000068ed1498 2 bytes [ED, 68] .text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe[5184] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ebfe00 5 bytes JMP 0000000077020460 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ebfe50 5 bytes JMP 0000000077020450 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ebffb0 5 bytes JMP 0000000077020370 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec0000 5 bytes JMP 0000000077020470 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec0010 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec00c0 5 bytes JMP 0000000077020320 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec00f0 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec0110 5 bytes JMP 0000000077020390 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec0150 1 byte JMP 00000000770202e0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 2 0000000076ec0152 3 bytes {JMP 0x160190} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec01d0 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec01f0 5 bytes JMP 0000000077020310 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec0230 1 byte JMP 00000000770203c0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 2 0000000076ec0232 3 bytes {JMP 0x160190} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec0280 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec03e0 5 bytes JMP 0000000077020230 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec05a0 5 bytes JMP 0000000077020480 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec05d0 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec06b0 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec06c0 1 byte JMP 0000000077020350 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 0000000076ec06c2 3 bytes {JMP 0x15fc90} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec0720 5 bytes JMP 0000000077020290 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec07b0 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec07d0 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec07e0 5 bytes JMP 0000000077020330 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec0850 5 bytes JMP 0000000077020410 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec0880 5 bytes JMP 0000000077020240 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec0b40 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec0c00 5 bytes JMP 0000000077020250 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec0c30 5 bytes JMP 0000000077020490 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec0c40 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec0c70 1 byte JMP 0000000077020300 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 2 0000000076ec0c72 3 bytes {JMP 0x15f690} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec0c80 5 bytes JMP 0000000077020360 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec0ce0 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec0d30 1 byte JMP 00000000770202c0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 2 0000000076ec0d32 3 bytes {JMP 0x15f590} .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec0d60 5 bytes JMP 0000000077020380 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec0d70 5 bytes JMP 0000000077020340 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec1060 5 bytes JMP 0000000077020440 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec1260 5 bytes JMP 0000000077020260 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec1270 5 bytes JMP 0000000077020270 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec1280 5 bytes JMP 0000000077020400 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec1440 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec1450 5 bytes JMP 0000000077020210 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec14c0 5 bytes JMP 0000000077020200 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec1520 5 bytes JMP 0000000077020420 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec1530 5 bytes JMP 0000000077020430 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec1540 5 bytes JMP 0000000077020220 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec1620 5 bytes JMP 0000000077020280 .text C:\Windows\system32\AUDIODG.EXE[1276] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076daf1bd 1 byte [62] .text C:\Users\Weak\Downloads\rdjp16ye.exe[5444] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007595b0c5 1 byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef848741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef8485f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef8485674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef8485e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef8487f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef8486a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef8486ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef8487b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef8487ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef84878b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef8484fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef8485d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2912] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef8487584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [436:1464] 000007fef9f46928 Thread C:\Windows\system32\svchost.exe [436:1468] 000007fef9e81a50 Thread C:\Windows\system32\svchost.exe [436:3016] 000007fefc961a70 Thread C:\Windows\system32\svchost.exe [436:3516] 000007fef8a15124 Thread C:\Windows\system32\svchost.exe [436:3988] 000007fef3e7506c Thread C:\Windows\system32\svchost.exe [436:3504] 000007fef7c21c20 Thread C:\Windows\system32\svchost.exe [436:3968] 000007fef7c21c20 Thread C:\Windows\system32\svchost.exe [436:5648] 000007fefad34164 Thread C:\Windows\system32\svchost.exe [436:6972] 000007fef83517f4 Thread C:\Windows\system32\svchost.exe [436:6820] 000007fee9e29640 Thread C:\Windows\system32\svchost.exe [436:3960] 000007fef83517f4 Thread C:\Windows\system32\svchost.exe [436:6080] 000007fef5dc1ab0 Thread C:\Windows\system32\svchost.exe [436:6272] 000007fef866b698 Thread C:\Windows\system32\WLANExt.exe [1208:1284] 000000018000d8c8 Thread C:\Windows\system32\WLANExt.exe [1208:1288] 000000018000d8e4 Thread C:\Windows\system32\WLANExt.exe [1208:1292] 000000018000d8ac Thread C:\Windows\system32\WLANExt.exe [1208:1296] 0000000180027ba0 Thread C:\Windows\system32\WLANExt.exe [1208:1304] 000007fefa1a2f9c Thread C:\Windows\System32\spoolsv.exe [1492:2824] 000007fef75710c8 Thread C:\Windows\System32\spoolsv.exe [1492:2808] 000007fef7536144 Thread C:\Windows\System32\spoolsv.exe [1492:2828] 000007fef8c25fd0 Thread C:\Windows\System32\spoolsv.exe [1492:2816] 000007fef7513438 Thread C:\Windows\System32\spoolsv.exe [1492:2896] 000007fef8c263ec Thread C:\Windows\System32\spoolsv.exe [1492:2968] 000007fef7605e5c Thread C:\Windows\system32\Dwm.exe [1668:1700] 000007fef9cbb0e4 Thread C:\Windows\system32\Dwm.exe [1668:1708] 000007fef98dabf0 Thread C:\Windows\system32\svchost.exe [1772:2076] 000007fef9123060 Thread C:\Windows\system32\svchost.exe [1772:3128] 000007fef9125570 Thread C:\Windows\system32\svchost.exe [1772:3212] 000007fef6452940 Thread C:\Windows\system32\svchost.exe [1772:3228] 000007fef6402888 Thread C:\Windows\system32\svchost.exe [1772:5780] 000007fef6402a40 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2368:2920] 000000006f484504 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2368:3076] 000000006f495af4 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2368:5264] 0000000074e4c7f5 Thread C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe [3420:5112] 0000000073b9839e Thread C:\Windows\System32\svchost.exe [4448:976] 000007feeca89688 ---- Processes - GMER 2.1 ---- Library C:\Users\Weak\AppData\Local\Microsoft\Toolbar\Applications\AppMgr.dll (*** suspicious ***) @ C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe [3420] (Bing Bar/Microsoft Corp.)(2014-08-15 10:23:16) 00000000733a0000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----