GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-30 20:34:07 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000067 SAMSUNG_ rev.1AG0 465,76GB Running: 8gvt3686.exe; Driver: C:\Users\Fiziu\AppData\Local\Temp\ugldrpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0xffffffff8872e890} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0xffffffff8872e590} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0xffffffff8872e090} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 00000001001204b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0xffffffff8872e890} .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0xffffffff8872e590} .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0xffffffff8872e090} .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 00000001001204b0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\system32\wininit.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\system32\wininit.exe[560] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\system32\services.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\system32\services.exe[660] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\system32\lsass.exe[668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\system32\svchost.exe[768] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\system32\atiesrxx.exe[988] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0xffffffff8867e890} .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0xffffffff8867e590} .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0xffffffff8867e090} .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 00000001000704b0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[112] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\system32\svchost.exe[376] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0xffffffff8867e890} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0xffffffff8867e590} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0xffffffff8867e090} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0xffffffff8867e890} .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0xffffffff8867e590} .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0xffffffff8867e090} .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\system32\Dwm.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\Explorer.EXE[1596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\Explorer.EXE[1596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\System32\spoolsv.exe[1840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\system32\taskhost.exe[1848] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0xffffffff8867e890} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0xffffffff8867e590} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0xffffffff8867e090} .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1136] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\SysWOW64\svchost.exe[1200] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007750a322 1 byte [62] .text C:\Windows\SysWOW64\svchost.exe[1200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076321465 2 bytes [32, 76] .text C:\Windows\SysWOW64\svchost.exe[1200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763214bb 2 bytes [32, 76] .text ... * 2 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1412] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[1472] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007750a322 1 byte [62] .text C:\Users\Fiziu\AppData\Local\Akamai\netsession_win.exe[1468] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007750a322 1 byte [62] .text C:\Users\Fiziu\AppData\Local\Akamai\netsession_win.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076321465 2 bytes [32, 76] .text C:\Users\Fiziu\AppData\Local\Akamai\netsession_win.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763214bb 2 bytes [32, 76] .text ... * 2 .text C:\Program Files (x86)\LOLReplay\LOLRecorder.exe[1752] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007750a322 1 byte [62] .text C:\Program Files (x86)\LOLReplay\LOLRecorder.exe[1752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076321465 2 bytes [32, 76] .text C:\Program Files (x86)\LOLReplay\LOLRecorder.exe[1752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763214bb 2 bytes [32, 76] .text ... * 2 .text C:\Users\Fiziu\AppData\Local\Akamai\netsession_win.exe[2184] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007750a322 1 byte [62] .text C:\Users\Fiziu\AppData\Local\Akamai\netsession_win.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076321465 2 bytes [32, 76] .text C:\Users\Fiziu\AppData\Local\Akamai\netsession_win.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763214bb 2 bytes [32, 76] .text ... * 2 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2216] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007750a322 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2400] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007750a322 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[2432] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007750a322 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2584] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007750a322 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076321465 2 bytes [32, 76] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763214bb 2 bytes [32, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[2664] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000100070470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000100070460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000100070370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000100070480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 00000001000703e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000100070320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 00000001000703b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000100070390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 00000001000702e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000100070440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 00000001000702d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000100070310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 00000001000703c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 00000001000703f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000100070230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0xffffffff8867e890} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000100070490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 00000001000703a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 00000001000702f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000100070350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000100070290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 00000001000702b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 00000001000703d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000100070330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0xffffffff8867e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000100070410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000100070240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 00000001000701e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000100070250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0xffffffff8867e090} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 00000001000704a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 00000001000704b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000100070300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000100070360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 00000001000702a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 00000001000702c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000100070380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000100070340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000100070450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000100070260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000100070270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000100070400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 00000001000701f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000100070210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000100070200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000100070420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000100070430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000100070220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\system32\svchost.exe[3452] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\system32\WUDFHost.exe[3904] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff916e00 5 bytes JMP 000007ff7f931dac .text C:\Windows\system32\WUDFHost.exe[3904] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff916f2c 5 bytes JMP 000007ff7f930ecc .text C:\Windows\system32\WUDFHost.exe[3904] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff917220 5 bytes JMP 000007ff7f931284 .text C:\Windows\system32\WUDFHost.exe[3904] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff91739c 5 bytes JMP 000007ff7f93163c .text C:\Windows\system32\WUDFHost.exe[3904] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff917538 5 bytes JMP 000007ff7f9319f4 .text C:\Windows\system32\WUDFHost.exe[3904] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff9175e8 5 bytes JMP 000007ff7f9303a4 .text C:\Windows\system32\WUDFHost.exe[3904] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff91790c 5 bytes JMP 000007ff7f93075c .text C:\Windows\system32\WUDFHost.exe[3904] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff917ab4 5 bytes JMP 000007ff7f930b14 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779c3ae0 5 bytes JMP 00000001002f075c .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000779c7a90 5 bytes JMP 00000001002f03a4 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000779f1490 5 bytes JMP 00000001002f0b14 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779f14f0 5 bytes JMP 00000001002f0ecc .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 00000001002f163c .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779f1810 5 bytes JMP 00000001002f1284 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 00000001002f19f4 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff916e00 5 bytes JMP 000007ff7f931dac .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff916f2c 5 bytes JMP 000007ff7f930ecc .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff917220 5 bytes JMP 000007ff7f931284 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff91739c 5 bytes JMP 000007ff7f93163c .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff917538 5 bytes JMP 000007ff7f9319f4 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff9175e8 5 bytes JMP 000007ff7f9303a4 .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff91790c 5 bytes JMP 000007ff7f93075c .text C:\Windows\System32\svchost.exe[3844] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff917ab4 5 bytes JMP 000007ff7f930b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4168] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779c3ae0 5 bytes JMP 00000001002d075c .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000779c7a90 5 bytes JMP 00000001002d03a4 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000779f1490 5 bytes JMP 00000001002d0b14 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779f14f0 5 bytes JMP 00000001002d0ecc .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 00000001002d163c .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779f1810 5 bytes JMP 00000001002d1284 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 00000001002d19f4 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff916e00 5 bytes JMP 000007ff7f931dac .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff916f2c 5 bytes JMP 000007ff7f930ecc .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff917220 5 bytes JMP 000007ff7f931284 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff91739c 5 bytes JMP 000007ff7f93163c .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff917538 5 bytes JMP 000007ff7f9319f4 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff9175e8 5 bytes JMP 000007ff7f9303a4 .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff91790c 5 bytes JMP 000007ff7f93075c .text C:\Windows\System32\svchost.exe[3584] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff917ab4 5 bytes JMP 000007ff7f930b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779c3ae0 5 bytes JMP 000000010015075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000779c7a90 5 bytes JMP 00000001001503a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000779f1490 5 bytes JMP 0000000100150b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779f14f0 5 bytes JMP 0000000100150ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 000000010015163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000779f1810 5 bytes JMP 0000000100151284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 00000001001519f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff916e00 5 bytes JMP 000007ff7f931dac .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff916f2c 5 bytes JMP 000007ff7f930ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff917220 5 bytes JMP 000007ff7f931284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff91739c 5 bytes JMP 000007ff7f93163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff917538 5 bytes JMP 000007ff7f9319f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff9175e8 5 bytes JMP 000007ff7f9303a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff91790c 5 bytes JMP 000007ff7f93075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4972] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff917ab4 5 bytes JMP 000007ff7f930b14 .text C:\Windows\system32\DllHost.exe[4488] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff916e00 5 bytes JMP 000007ff7f931dac .text C:\Windows\system32\DllHost.exe[4488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff916f2c 5 bytes JMP 000007ff7f930ecc .text C:\Windows\system32\DllHost.exe[4488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff917220 5 bytes JMP 000007ff7f931284 .text C:\Windows\system32\DllHost.exe[4488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff91739c 5 bytes JMP 000007ff7f93163c .text C:\Windows\system32\DllHost.exe[4488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff917538 5 bytes JMP 000007ff7f9319f4 .text C:\Windows\system32\DllHost.exe[4488] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff9175e8 5 bytes JMP 000007ff7f9303a4 .text C:\Windows\system32\DllHost.exe[4488] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff91790c 5 bytes JMP 000007ff7f93075c .text C:\Windows\system32\DllHost.exe[4488] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff917ab4 5 bytes JMP 000007ff7f930b14 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077b9fab0 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077b9fb48 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b9fca0 5 bytes JMP 00000001001d0c0c .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ba0028 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ba1910 5 bytes JMP 00000001001d0e10 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077bbc43a 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bc11d7 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007750a322 1 byte [62] .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c2ee09 5 bytes JMP 00000001002701f8 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075c33982 5 bytes JMP 00000001002703fc .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c37603 5 bytes JMP 0000000100270804 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c3835c 5 bytes JMP 0000000100270600 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075c4f52b 5 bytes JMP 0000000100270a08 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076335181 5 bytes JMP 0000000100281014 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076335254 5 bytes JMP 0000000100280804 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000763353d5 5 bytes JMP 0000000100280a08 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000763354c2 5 bytes JMP 0000000100280c0c .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000763355e2 5 bytes JMP 0000000100280e10 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007633567c 5 bytes JMP 00000001002801f8 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007633589f 5 bytes JMP 00000001002803fc .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076335a22 5 bytes JMP 0000000100280600 .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076321465 2 bytes [32, 76] .text C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exe[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763214bb 2 bytes [32, 76] .text ... * 2 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779f13c0 5 bytes JMP 0000000077b50470 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779f1410 5 bytes JMP 0000000077b50460 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 5 bytes JMP 0000000077b50370 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779f15c0 5 bytes JMP 0000000077b50480 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779f15d0 5 bytes JMP 0000000077b503e0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779f1680 5 bytes JMP 0000000077b50320 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779f16b0 5 bytes JMP 0000000077b503b0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779f16d0 5 bytes JMP 0000000077b50390 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779f1710 5 bytes JMP 0000000077b502e0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779f1760 5 bytes JMP 0000000077b50440 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779f1790 5 bytes JMP 0000000077b502d0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779f17b0 5 bytes JMP 0000000077b50310 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779f17f0 5 bytes JMP 0000000077b503c0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779f1840 5 bytes JMP 0000000077b503f0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779f19a0 1 byte JMP 0000000077b50230 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779f19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779f1b60 5 bytes JMP 0000000077b50490 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779f1b90 5 bytes JMP 0000000077b503a0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779f1c70 5 bytes JMP 0000000077b502f0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779f1c80 5 bytes JMP 0000000077b50350 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779f1ce0 5 bytes JMP 0000000077b50290 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779f1d70 5 bytes JMP 0000000077b502b0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779f1d90 5 bytes JMP 0000000077b503d0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779f1da0 1 byte JMP 0000000077b50330 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000779f1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779f1e10 5 bytes JMP 0000000077b50410 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779f1e40 5 bytes JMP 0000000077b50240 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779f2100 5 bytes JMP 0000000077b501e0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779f21c0 1 byte JMP 0000000077b50250 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779f21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779f21f0 5 bytes JMP 0000000077b504a0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779f2200 5 bytes JMP 0000000077b504b0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779f2230 5 bytes JMP 0000000077b50300 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779f2240 5 bytes JMP 0000000077b50360 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779f22a0 5 bytes JMP 0000000077b502a0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779f22f0 5 bytes JMP 0000000077b502c0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 5 bytes JMP 0000000077b50380 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779f2330 5 bytes JMP 0000000077b50340 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779f2620 5 bytes JMP 0000000077b50450 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779f2820 5 bytes JMP 0000000077b50260 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779f2830 5 bytes JMP 0000000077b50270 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779f2840 5 bytes JMP 0000000077b50400 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779f2a00 5 bytes JMP 0000000077b501f0 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779f2a10 5 bytes JMP 0000000077b50210 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779f2a80 5 bytes JMP 0000000077b50200 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779f2ae0 5 bytes JMP 0000000077b50420 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779f2af0 5 bytes JMP 0000000077b50430 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779f2b00 5 bytes JMP 0000000077b50220 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779f2be0 5 bytes JMP 0000000077b50280 .text C:\Windows\system32\AUDIODG.EXE[3256] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000777deecd 1 byte [62] .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077b9fab0 5 bytes JMP 0000000100030600 .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077b9fb48 5 bytes JMP 0000000100030804 .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b9fca0 5 bytes JMP 0000000100030c0c .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ba0028 5 bytes JMP 0000000100030a08 .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ba1910 5 bytes JMP 0000000100030e10 .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077bbc43a 5 bytes JMP 00000001000301f8 .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bc11d7 5 bytes JMP 00000001000303fc .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007750a322 1 byte [62] .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076335181 5 bytes JMP 0000000100241014 .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076335254 3 bytes JMP 0000000100240804 .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 4 0000000076335258 1 byte [89] .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000763353d5 5 bytes JMP 0000000100240a08 .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000763354c2 5 bytes JMP 0000000100240c0c .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000763355e2 5 bytes JMP 0000000100240e10 .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007633567c 5 bytes JMP 00000001002401f8 .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007633589f 5 bytes JMP 00000001002403fc .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076335a22 5 bytes JMP 0000000100240600 .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c2ee09 5 bytes JMP 00000001002501f8 .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075c33982 5 bytes JMP 00000001002503fc .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c37603 5 bytes JMP 0000000100250804 .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c3835c 5 bytes JMP 0000000100250600 .text C:\Users\Fiziu\Desktop\8gvt3686.exe[4856] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075c4f52b 5 bytes JMP 0000000100250a08 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef6d0741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef6d05f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef6d05674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef6d05e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef6d07f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef6d06a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef6d06ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef6d07b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef6d07ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef6d078b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef6d04fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef6d05d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef6d07584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4168:2200] 000007fefdd70168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4168:4212] 000007fefbeb2ab8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4168:3808] 000007feec5ed618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4168:2780] 000007fefb155124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4168:4208] 000007fefdd70168 Thread C:\Windows\System32\svchost.exe [3584:176] 000007feec1b9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 4 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 64 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 4013768 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\090028000410 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\090028000c10 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\090028000c10@bc476021a809 0x42 0xB4 0xB1 0x6F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x28 0xF9 0x67 0x26 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x97 0x17 0x7F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x8F 0x1B 0x19 0x04 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a1 0x10 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0xF4 0x21 0x1B 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x7C 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xCA 0x9D 0x00 0xA8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xCB 0xC9 0xCC 0x28 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq2 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq2@hdf12 0x8F 0x1B 0x19 0x04 ... Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 4 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 64 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 4013768 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 3 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\090028000410 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\090028000c10 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\090028000c10@bc476021a809 0x42 0xB4 0xB1 0x6F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x28 0xF9 0x67 0x26 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x97 0x17 0x7F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x8F 0x1B 0x19 0x04 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a1 0x10 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0xF4 0x21 0x1B 0x50 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x7C 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xCA 0x9D 0x00 0xA8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xCB 0xC9 0xCC 0x28 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq2@hdf12 0x8F 0x1B 0x19 0x04 ... ---- EOF - GMER 2.1 ----