GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-09 20:51:52 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.D005DEM1 465,76GB Running: nf8jp2em.exe; Driver: C:\Users\Tomek\AppData\Local\Temp\fwrdykog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000100040460 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000100040450 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000100040370 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000100040470 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 00000001000403e0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000100040320 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 00000001000403b0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000100040390 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 00000001000402e0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 00000001000402d0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000100040310 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 00000001000403c0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 00000001000403f0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000100040230 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000100040480 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 00000001000403a0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 00000001000402f0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000100040350 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000100040290 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 00000001000402b0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 00000001000403d0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000100040330 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000100040410 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000100040240 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 00000001000401e0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000100040250 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000100040490 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 00000001000404a0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000100040300 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000100040360 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 00000001000402a0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 00000001000402c0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000100040380 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000100040340 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000100040440 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000100040260 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000100040270 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000100040400 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 00000001000401f0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000100040210 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000100040200 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000100040420 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000100040430 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000100040220 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000100040280 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\wininit.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\wininit.exe[444] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 000000014a270460 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 000000014a270450 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 000000014a270370 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 000000014a270470 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 000000014a2703e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 000000014a270320 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 000000014a2703b0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 000000014a270390 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 000000014a2702e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 000000014a2702d0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 000000014a270310 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 000000014a2703c0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 000000014a2703f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 000000014a270230 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 000000014a270480 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 000000014a2703a0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 000000014a2702f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 000000014a270350 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 000000014a270290 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 000000014a2702b0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 000000014a2703d0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 000000014a270330 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 000000014a270410 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 000000014a270240 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 000000014a2701e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 000000014a270250 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 000000014a270490 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 000000014a2704a0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 000000014a270300 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 000000014a270360 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 000000014a2702a0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 000000014a2702c0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 000000014a270380 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 000000014a270340 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 000000014a270440 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 000000014a270260 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 000000014a270270 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 000000014a270400 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 000000014a2701f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 000000014a270210 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 000000014a270200 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 000000014a270420 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 000000014a270430 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 000000014a270220 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 000000014a270280 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\services.exe[504] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\lsass.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\lsm.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[624] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\svchost.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\System32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\System32\svchost.exe[848] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\System32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\System32\svchost.exe[896] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\svchost.exe[952] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files\IDT\WDM\STacSV64.exe[1008] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\AUDIODG.EXE[404] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\Dwm.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\Explorer.EXE[1400] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\Explorer.EXE[1400] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\svchost.exe[1604] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\taskhost.exe[1768] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1872] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Program Files (x86)\FindRight\updateFindRight.exe[1260] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000755ca2ba 1 byte [62] .text C:\Program Files (x86)\FindRight\bin\utilFindRight.exe[1680] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000755ca2ba 1 byte [62] .text C:\Program Files (x86)\FindRight\bin\utilFindRight.exe[1680] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000759e1465 2 bytes [9E, 75] .text C:\Program Files (x86)\FindRight\bin\utilFindRight.exe[1680] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000759e14bb 2 bytes [9E, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\svchost.exe[2600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Users\Tomek\AppData\Local\fst_pl_59\upfst_pl_59.exe[2852] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000755ca2ba 1 byte [62] .text C:\Users\Tomek\AppData\Local\fst_pl_59\upfst_pl_59.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000759e1465 2 bytes [9E, 75] .text C:\Users\Tomek\AppData\Local\fst_pl_59\upfst_pl_59.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759e14bb 2 bytes [9E, 75] .text ... * 2 .text C:\Windows\system32\wbem\wmiprvse.exe[2936] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\System32\igfxtray.exe[2156] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\System32\hkcmd.exe[2100] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\System32\igfxpers.exe[680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Program Files\IDT\WDM\sttray64.exe[2732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files\Windows Sidebar\sidebar.exe[2800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2404] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000755a8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2404] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000755ca2ba 1 byte [62] .text C:\Program Files (x86)\fst_pl_59\fst_pl_59.exe[3128] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000755ca2ba 1 byte [62] .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\programdata\cpu\system32.exe[3196] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\conhost.exe[3204] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[3328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786eecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\wbem\wmiprvse.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\System32\svchost.exe[4000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Program Files (x86)\FindRight\bin\FilterApp_C64.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files (x86)\FindRight\bin\XTLSApp.exe[4184] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000755ca2ba 1 byte [62] .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\System32\svchost.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\wuauclt.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Users\Tomek\Downloads\nf8jp2em.exe[2952] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000755ca2ba 1 byte [62] ---- Processes - GMER 2.1 ---- Process C:\programdata\cpu\system32.exe (*** suspicious ***) @ C:\programdata\cpu\system32.exe [3196](2014-02-08 17:51:41) 000000013f560000 Library C:\programdata\cpu\mpir.dll (*** suspicious ***) @ C:\programdata\cpu\system32.exe [3196](2014-02-08 17:51:41) 000007fef39e0000 ---- EOF - GMER 2.1 ----