GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-20 11:58:50 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 298,09GB Running: nwprgw42.exe; Driver: C:\Users\Justyna\AppData\Local\Temp\fxdyrpoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544 fffff80003609000 63 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 610 fffff80003609042 4 bytes [00, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000149720460 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000149720450 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000149720370 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000149720470 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000001497203e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000149720320 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000001497203b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000149720390 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000001497202e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000001497202d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000149720310 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000001497203c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000001497203f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000149720230 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000149720480 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000001497203a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000001497202f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000149720350 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000149720290 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000001497202b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000001497203d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000149720330 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000149720410 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000149720240 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000001497201e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000149720250 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000149720490 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000001497204a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000149720300 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000149720360 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000001497202a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000001497202c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000149720380 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000149720340 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000149720440 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000149720260 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000149720270 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000149720400 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000001497201f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000149720210 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000149720200 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000149720420 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000149720430 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000149720220 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000149720280 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000149720460 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000149720450 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000149720370 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000149720470 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000001497203e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000149720320 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000001497203b0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000149720390 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000001497202e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000001497202d0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000149720310 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000001497203c0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000001497203f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000149720230 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000149720480 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000001497203a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000001497202f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000149720350 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000149720290 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000001497202b0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000001497203d0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000149720330 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000149720410 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000149720240 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000001497201e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000149720250 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000149720490 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000001497204a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000149720300 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000149720360 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000001497202a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000001497202c0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000149720380 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000149720340 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000149720440 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000149720260 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000149720270 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000149720400 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000001497201f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000149720210 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000149720200 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000149720420 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000149720430 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000149720220 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000149720280 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\wininit.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\services.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\services.exe[648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\System32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\System32\svchost.exe[112] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[352] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\WLANExt.exe[1252] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\Explorer.EXE[1560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\Explorer.EXE[1560] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\spoolsv.exe[1804] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\taskhost.exe[1828] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1412] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1504] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[1216] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[1300] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2096] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000100070460 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000100070450 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000100070370 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000100070470 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000001000703e0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000100070320 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000001000703b0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000100070390 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000001000702e0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000001000702d0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000100070310 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000001000703c0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000001000703f0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000100070230 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000100070480 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000001000703a0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000001000702f0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000100070350 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000100070290 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000001000702b0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000001000703d0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000100070330 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000100070410 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000100070240 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000001000701e0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000100070250 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000100070490 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000001000704a0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000100070300 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000100070360 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000001000702a0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000001000702c0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000100070380 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000100070340 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000100070440 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000100070260 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000100070270 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000100070400 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000001000701f0 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000100070210 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000100070200 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000100070420 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000100070430 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000100070220 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Elantech\ETDCtrl.exe[2140] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Users\Justyna\AppData\Local\GG\Application\gghub.exe[2468] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2488] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Users\Justyna\AppData\Local\WeatherAlerts\DesktopWeatherAlertsApp.exe[2576] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Users\Justyna\AppData\Local\WeatherAlerts\DesktopWeatherAlertsApp.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Users\Justyna\AppData\Local\WeatherAlerts\DesktopWeatherAlertsApp.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Users\Justyna\AppData\Roaming\Dropbox\bin\Dropbox.exe[2588] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Users\Justyna\AppData\Roaming\Dropbox\bin\Dropbox.exe[2588] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Users\Justyna\AppData\Roaming\Dropbox\bin\Dropbox.exe[2588] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\ProgramData\Multimedia mobilNET\OnlineUpdate\ouc.exe[2696] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Windows\SysWOW64\Rezip.exe[2728] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Windows\system32\svchost.exe[2788] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\SysWOW64\RunDll32.exe[2900] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text D:\programy\winamp\winampa.exe[2908] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[2932] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2952] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076bb87b1 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2952] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3028] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Program Files (x86)\Deal Keeper\updateDealKeeper.exe[2416] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Program Files (x86)\Deal Keeper\bin\utilDealKeeper.exe[2672] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\System32\svchost.exe[3288] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text D:\programy\spybot\Spybot - Search & Destroy\SDWinSec.exe[3516] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text D:\programy\spybot\Spybot - Search & Destroy\SDWinSec.exe[3516] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text D:\programy\spybot\Spybot - Search & Destroy\SDWinSec.exe[3516] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\wbem\wmiprvse.exe[3816] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4264] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe[4140] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\wuauclt.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[3184] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076bb87b1 5 bytes JMP 000000015b2f7dbc .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[3184] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[3184] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076756143 5 bytes JMP 000000015b81c706 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[3184] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 00000000765a3e59 5 bytes JMP 000000015b323556 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[3184] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 00000000765a3eae 5 bytes JMP 000000015b349255 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[3184] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 00000000765a4731 5 bytes JMP 000000015b33db5c .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[3184] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 00000000765a5dee 5 bytes JMP 000000015b352989 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[3184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077801360 5 bytes JMP 0000000077960460 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778013b0 5 bytes JMP 0000000077960450 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077801510 5 bytes JMP 0000000077960370 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077801560 5 bytes JMP 0000000077960470 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077801570 5 bytes JMP 00000000779603e0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077801620 5 bytes JMP 0000000077960320 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077801650 5 bytes JMP 00000000779603b0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077801670 5 bytes JMP 0000000077960390 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778016b0 5 bytes JMP 00000000779602e0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077801730 5 bytes JMP 00000000779602d0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077801750 5 bytes JMP 0000000077960310 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077801790 5 bytes JMP 00000000779603c0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778017e0 5 bytes JMP 00000000779603f0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077801940 5 bytes JMP 0000000077960230 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077801b00 5 bytes JMP 0000000077960480 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077801b30 5 bytes JMP 00000000779603a0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077801c10 5 bytes JMP 00000000779602f0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077801c20 5 bytes JMP 0000000077960350 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077801c80 5 bytes JMP 0000000077960290 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077801d10 5 bytes JMP 00000000779602b0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077801d30 5 bytes JMP 00000000779603d0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077801d40 5 bytes JMP 0000000077960330 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077801db0 5 bytes JMP 0000000077960410 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077801de0 5 bytes JMP 0000000077960240 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778020a0 5 bytes JMP 00000000779601e0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077802160 5 bytes JMP 0000000077960250 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077802190 5 bytes JMP 0000000077960490 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778021a0 5 bytes JMP 00000000779604a0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778021d0 5 bytes JMP 0000000077960300 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778021e0 5 bytes JMP 0000000077960360 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077802240 5 bytes JMP 00000000779602a0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077802290 5 bytes JMP 00000000779602c0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778022c0 5 bytes JMP 0000000077960380 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778022d0 5 bytes JMP 0000000077960340 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778025c0 5 bytes JMP 0000000077960440 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778027c0 5 bytes JMP 0000000077960260 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778027d0 5 bytes JMP 0000000077960270 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778027e0 5 bytes JMP 0000000077960400 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778029a0 5 bytes JMP 00000000779601f0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778029b0 5 bytes JMP 0000000077960210 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077802a20 5 bytes JMP 0000000077960200 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077802a80 5 bytes JMP 0000000077960420 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077802a90 5 bytes JMP 0000000077960430 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077802aa0 5 bytes JMP 0000000077960220 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077802b80 5 bytes JMP 0000000077960280 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Users\Justyna\Downloads\nwprgw42.exe[5440] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010d9e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010d9c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010da614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010daa10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010da86c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa8002ce22c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80037042c0 Device \Driver\cdrom \Device\CdRom0 fffffa80034cf2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80037042c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{AC3DB6B5-B528-423D-8C20-C9F68547EEB7} fffffa80035ce2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{ABC77BC2-4AF4-4423-8252-C51788B7E080} fffffa80035ce2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80037042c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80035ce2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{6C042EE6-FE29-4D53-923C-5E88AADFF7C2} fffffa80035ce2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80037042c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{FB396C12-542A-441A-8313-F3249445F1B3} fffffa80035ce2c0 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1560] (GG drive overlay/GG Network S.A.)(2013-07-14 14:31:27) 000000005c080000 Library C:\Users\Justyna\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1560] (GG drive menu/GG Network S.A.) 000000005ff80000 Library C:\Users\Justyna\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll (*** suspicious ***) @ C:\Users\Justyna\AppData\Roaming\Dropbox\bin\Dropbox.exe [2588](2014-01-03 01:09:26) 0000000003f80000 Library c:\users\justyna\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpppsu3r.dll (*** suspicious ***) @ C:\Users\Justyna\AppData\Roaming\Dropbox\bin\Dropbox.exe [2588](2014-07-20 07:43:29) 0000000003e80000 Library C:\Users\Justyna\AppData\Roaming\Dropbox\bin\libcef.dll (*** suspicious ***) @ C:\Users\Justyna\AppData\Roaming\Dropbox\bin\Dropbox.exe [2588](2013-08-23 19:01:44) 0000000063760000 Library C:\Users\Justyna\AppData\Roaming\Dropbox\bin\icudt.dll (*** suspicious ***) @ C:\Users\Justyna\AppData\Roaming\Dropbox\bin\Dropbox.exe [2588] (ICU Data DLL/The ICU Project)(2013-08-23 19:01:42) 0000000066a80000 Process C:\ProgramData\Multimedia mobilNET\OnlineUpdate\ouc.exe (*** suspicious ***) @ C:\ProgramData\Multimedia mobilNET\OnlineUpdate\ouc.exe [2696](2011-09-15 13:09:46) 0000000000400000 Library C:\ProgramData\Multimedia mobilNET\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\Multimedia mobilNET\OnlineUpdate\ouc.exe [2696](2011-09-15 13:09:46) 000000006fbc0000 Library C:\ProgramData\Multimedia mobilNET\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\Multimedia mobilNET\OnlineUpdate\ouc.exe [2696](2011-09-15 13:09:46) 000000006e940000 Library C:\ProgramData\Multimedia mobilNET\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\Multimedia mobilNET\OnlineUpdate\ouc.exe [2696](2011-09-15 13:09:46) 000000006a1c0000 Library C:\ProgramData\Multimedia mobilNET\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\Multimedia mobilNET\OnlineUpdate\ouc.exe [2696](2011-09-15 13:09:46) 000000006ff00000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----