GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-26 12:50:09 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0002SDM1 465,76GB Running: umr1zny3.exe; Driver: C:\Users\agrawa\AppData\Local\Temp\kwrdypoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 608 fffff96000104cb4 8 bytes [48, C4, A3, 03, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000133f00 7 bytes [00, 98, F3, FF, 01, A6, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000133f08 3 bytes [C0, 06, 02] .text ... * 109 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 404 fffff960001f2a98 6 bytes {JMP QWORD [RIP+0x663fe]} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 000000014a210460 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 000000014a210450 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 000000014a210370 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 000000014a210470 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 000000014a2103e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 000000014a210320 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 000000014a2103b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 000000014a210390 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 000000014a2102e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 000000014a2102d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 000000014a210310 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 000000014a2103c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 000000014a2103f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 000000014a210230 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 000000014a210480 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 000000014a2103a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 000000014a2102f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 000000014a210350 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 000000014a210290 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 000000014a2102b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 000000014a2103d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 000000014a210330 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 000000014a210410 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 000000014a210240 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 000000014a2101e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 000000014a210250 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 000000014a210490 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 000000014a2104a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 000000014a210300 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 000000014a210360 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 000000014a2102a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 000000014a2102c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 000000014a210380 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 000000014a210340 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 000000014a210440 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 000000014a210260 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 000000014a210270 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 000000014a210400 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 000000014a2101f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 000000014a210210 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 000000014a210200 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 000000014a210420 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 000000014a210430 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 000000014a210220 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 000000014a210280 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\wininit.exe[520] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 000000014a210460 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 000000014a210450 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 000000014a210370 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 000000014a210470 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 000000014a2103e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 000000014a210320 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 000000014a2103b0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 000000014a210390 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 000000014a2102e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 000000014a2102d0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 000000014a210310 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 000000014a2103c0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 000000014a2103f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 000000014a210230 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 000000014a210480 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 000000014a2103a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 000000014a2102f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 000000014a210350 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 000000014a210290 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 000000014a2102b0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 000000014a2103d0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 000000014a210330 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 000000014a210410 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 000000014a210240 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 000000014a2101e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 000000014a210250 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 000000014a210490 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 000000014a2104a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 000000014a210300 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 000000014a210360 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 000000014a2102a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 000000014a2102c0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 000000014a210380 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 000000014a210340 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 000000014a210440 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 000000014a210260 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 000000014a210270 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 000000014a210400 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 000000014a2101f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 000000014a210210 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 000000014a210200 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 000000014a210420 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 000000014a210430 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 000000014a210220 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 000000014a210280 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\services.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\winlogon.exe[648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[248] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1104] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\nvvsvc.exe[1112] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\svchost.exe[1180] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\Dwm.exe[1384] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\FBAgent.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1432] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1456] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000100070460 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000100070450 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000100070370 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000100070470 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 00000001000703e0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000100070320 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 00000001000703b0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000100070390 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 00000001000702d0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000100070310 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 00000001000703c0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000100070230 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000100070480 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000100070350 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000100070290 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000100070330 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000100070410 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000100070240 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000100070250 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000100070490 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000100070300 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000100070360 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 00000001000702a0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 00000001000702c0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000100070380 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000100070340 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000100070440 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000100070260 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000100070270 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000100070400 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000100070210 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000100070200 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000100070420 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000100070430 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\Explorer.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[1500] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1672] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\ProgramData\WPM\wprotectmanager.exe[1756] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\ProgramData\WPM\wprotectmanager.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076fa1465 2 bytes [FA, 76] .text C:\ProgramData\WPM\wprotectmanager.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076fa14bb 2 bytes [FA, 76] .text ... * 2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[1872] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[1992] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\System32\spoolsv.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\svchost.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[1100] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1212] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000077568791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1212] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076fa1465 2 bytes [FA, 76] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076fa14bb 2 bytes [FA, 76] .text ... * 2 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\taskeng.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\taskeng.exe[2056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000100070280 .text C:\Program Files\ASUS\Net4Switch\Net4Switch.exe[2180] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2376] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Windows\SysWOW64\srvany.exe[2432] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Windows\KMService.exe[2460] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2476] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076fa1465 2 bytes [FA, 76] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076fa14bb 2 bytes [FA, 76] .text ... * 2 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[1752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Program Files\Zune\ZuneLauncher.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Program Files\Elantech\ETDCtrl.exe[1340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[2844] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] ? C:\Windows\system32\mssprxy.dll [2844] entry point in ".rdata" section 000000006b7071e6 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2580] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2700] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2364] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe[2644] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3100] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000077568791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3100] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Windows\AsScrPro.exe[3204] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Windows\AsScrPro.exe[3204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076fa1465 2 bytes [FA, 76] .text C:\Windows\AsScrPro.exe[3204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076fa14bb 2 bytes [FA, 76] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Program Files (x86)\BatBrowse\bin\utilBatBrowse.exe[3608] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Program Files (x86)\BatBrowse\bin\utilBatBrowse.exe[3608] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076fa1465 2 bytes [FA, 76] .text C:\Program Files (x86)\BatBrowse\bin\utilBatBrowse.exe[3608] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076fa14bb 2 bytes [FA, 76] .text ... * 2 .text C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe[3956] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\SearchIndexer.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Program Files (x86)\BatBrowse\bin\BatBrowse.BrowserAdapter.exe[4472] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] .text C:\Windows\System32\svchost.exe[3588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000077a30460 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000077a30450 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000077a30470 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 0000000077a303e0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 0000000077a303f0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000077a30230 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000077a30480 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 0000000077a303d0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000077a30330 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000077a30410 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000077a30250 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000077a30490 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 0000000077a304a0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000077a30440 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000077a30400 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000077a30420 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000077a30430 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\wuauclt.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000077a30280 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778d1360 5 bytes JMP 0000000100070460 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778d13b0 5 bytes JMP 0000000100070450 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778d1510 5 bytes JMP 0000000100070370 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778d1560 5 bytes JMP 0000000100070470 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778d1570 5 bytes JMP 00000001000703e0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778d1620 5 bytes JMP 0000000100070320 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778d1650 5 bytes JMP 00000001000703b0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778d1670 5 bytes JMP 0000000100070390 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778d16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778d1730 5 bytes JMP 00000001000702d0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778d1750 5 bytes JMP 0000000100070310 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778d1790 5 bytes JMP 00000001000703c0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778d17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778d1940 5 bytes JMP 0000000100070230 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778d1b00 5 bytes JMP 0000000100070480 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778d1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778d1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778d1c20 5 bytes JMP 0000000100070350 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778d1c80 5 bytes JMP 0000000100070290 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778d1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778d1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778d1d40 5 bytes JMP 0000000100070330 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778d1db0 5 bytes JMP 0000000100070410 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778d1de0 5 bytes JMP 0000000100070240 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778d20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778d2160 5 bytes JMP 0000000100070250 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778d2190 5 bytes JMP 0000000100070490 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778d21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778d21d0 5 bytes JMP 0000000100070300 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778d21e0 5 bytes JMP 0000000100070360 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778d2240 5 bytes JMP 00000001000702a0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778d2290 5 bytes JMP 00000001000702c0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778d22c0 5 bytes JMP 0000000100070380 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778d22d0 5 bytes JMP 0000000100070340 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778d25c0 5 bytes JMP 0000000100070440 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778d27c0 5 bytes JMP 0000000100070260 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778d27d0 5 bytes JMP 0000000100070270 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778d27e0 5 bytes JMP 0000000100070400 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778d29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778d29b0 5 bytes JMP 0000000100070210 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778d2a20 5 bytes JMP 0000000100070200 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778d2a80 5 bytes JMP 0000000100070420 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778d2a90 5 bytes JMP 0000000100070430 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778d2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\notepad.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778d2b80 5 bytes JMP 0000000100070280 .text C:\Windows\notepad.exe[3200] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777bef8d 1 byte [62] .text C:\Users\agrawa\Desktop\umr1zny3.exe[1648] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007758a2fd 1 byte [62] ---- Processes - GMER 2.1 ---- Process C:\ProgramData\WPM\wprotectmanager.exe (*** suspicious ***) @ C:\ProgramData\WPM\wprotectmanager.exe [1756] (WPM Service/Cherished Technololgy LIMITED)(2 0000000000930000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E7372446-1020-4FEE-832D-55360EC0A422}\offreg.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [3588](2014-05-26 10:32:55) 000007fefc300000 ---- EOF - GMER 2.1 ----