GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-14 00:07:51 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD6400AACS-00G8B1 rev.05.04C05 596.17GB Running: 7xsxuqqy.exe; Driver: C:\Users\admin\AppData\Local\Temp\uwddakob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000149fa0460 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000149fa0450 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000149fa0370 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000149fa0470 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000149fa03e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000149fa0320 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000149fa03b0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000149fa0390 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000149fa02e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000149fa02d0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000149fa0310 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000149fa03c0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000149fa03f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000149fa0230 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000149fa0480 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000149fa03a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000149fa02f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000149fa0350 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000149fa0290 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000149fa02b0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000149fa03d0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000149fa0330 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000149fa0410 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000149fa0240 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000149fa01e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000149fa0250 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000149fa0490 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000149fa04a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000149fa0300 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000149fa0360 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000149fa02a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000149fa02c0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000149fa0380 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000149fa0340 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000149fa0440 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000149fa0260 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000149fa0270 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000149fa0400 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000149fa01f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000149fa0210 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000149fa0200 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000149fa0420 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000149fa0430 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000149fa0220 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000149fa0280 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000100040460 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000100040450 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000100040370 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000100040470 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 00000001000403e0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000100040320 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 00000001000403b0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000100040390 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 00000001000402e0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 00000001000402d0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000100040310 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 00000001000403c0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 00000001000403f0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000100040230 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000100040480 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 00000001000403a0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 00000001000402f0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000100040350 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000100040290 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 00000001000402b0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 00000001000403d0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000100040330 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000100040410 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000100040240 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 00000001000401e0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000100040250 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000100040490 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 00000001000404a0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000100040300 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000100040360 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 00000001000402a0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 00000001000402c0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000100040380 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000100040340 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000100040440 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000100040260 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000100040270 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000100040400 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 00000001000401f0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000100040210 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000100040200 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000100040420 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000100040430 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000100040220 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000100040280 .text C:\Windows\system32\wininit.exe[616] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000149fa0460 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000149fa0450 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000149fa0370 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000149fa0470 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000149fa03e0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000149fa0320 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000149fa03b0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000149fa0390 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000149fa02e0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000149fa02d0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000149fa0310 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000149fa03c0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000149fa03f0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000149fa0230 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000149fa0480 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000149fa03a0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000149fa02f0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000149fa0350 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000149fa0290 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000149fa02b0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000149fa03d0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000149fa0330 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000149fa0410 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000149fa0240 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000149fa01e0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000149fa0250 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000149fa0490 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000149fa04a0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000149fa0300 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000149fa0360 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000149fa02a0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000149fa02c0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000149fa0380 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000149fa0340 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000149fa0440 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000149fa0260 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000149fa0270 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000149fa0400 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000149fa01f0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000149fa0210 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000149fa0200 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000149fa0420 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000149fa0430 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000149fa0220 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000149fa0280 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\services.exe[672] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsm.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\winlogon.exe[752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\atiesrxx.exe[388] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[524] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\System32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\System32\svchost.exe[800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\atieclxx.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\Dwm.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\Explorer.EXE[1556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\Explorer.EXE[1556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\spoolsv.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\taskhost.exe[1808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2016] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[2200] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000100070460 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000100070450 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000100070370 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000100070470 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 00000001000703e0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000100070320 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 00000001000703b0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000100070390 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 00000001000702e0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 00000001000702d0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000100070310 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 00000001000703c0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 00000001000703f0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000100070230 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000100070480 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 00000001000703a0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 00000001000702f0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000100070350 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000100070290 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 00000001000702b0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 00000001000703d0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000100070330 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000100070410 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000100070240 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 00000001000701e0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000100070250 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000100070490 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 00000001000704a0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000100070300 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000100070360 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 00000001000702a0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 00000001000702c0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000100070380 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000100070340 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000100070440 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000100070260 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000100070270 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000100070400 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 00000001000701f0 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000100070210 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000100070200 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000100070420 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000100070430 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000100070220 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe[2504] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\system32\PnkBstrA.exe[2572] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Windows\system32\PnkBstrA.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756f1465 2 bytes [6F, 75] .text C:\Windows\system32\PnkBstrA.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756f14bb 2 bytes [6F, 75] .text ... * 2 .text C:\Program Files (x86)\PostgreSQL\9.2\bin\pg_ctl.exe[2648] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\svchost.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\System32\svchost.exe[2740] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files (x86)\PostgreSQL\9.2\bin\postgres.exe[2384] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Program Files (x86)\PostgreSQL\9.2\bin\postgres.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756f1465 2 bytes [6F, 75] .text C:\Program Files (x86)\PostgreSQL\9.2\bin\postgres.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756f14bb 2 bytes [6F, 75] .text ... * 2 .text C:\Program Files (x86)\PostgreSQL\9.2\bin\postgres.exe[268] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Program Files (x86)\PostgreSQL\9.2\bin\postgres.exe[3096] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Program Files (x86)\PostgreSQL\9.2\bin\postgres.exe[3104] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Program Files (x86)\PostgreSQL\9.2\bin\postgres.exe[3112] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Program Files (x86)\PostgreSQL\9.2\bin\postgres.exe[3120] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Program Files (x86)\PostgreSQL\9.2\bin\postgres.exe[3128] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files\Logitech Gaming Software\LCore.exe[1004] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\SearchIndexer.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3516] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\vVX3000.exe[3632] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\SearchProtocolHost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files (x86)\FreeAlarmClock\FreeAlarmClock.exe[3932] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Program Files (x86)\FreeAlarmClock\FreeAlarmClock.exe[3932] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000756f1465 2 bytes [6F, 75] .text C:\Program Files (x86)\FreeAlarmClock\FreeAlarmClock.exe[3932] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000756f14bb 2 bytes [6F, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[3092] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4508] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075bb8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4508] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4816] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\wbem\wmiprvse.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe[5904] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files\cFosSpeed\spd.exe[3268] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Program Files\cFosSpeed\cFosSpeed.exe[3608] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\taskmgr.exe[6000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\System32\svchost.exe[5992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\DllHost.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\notepad.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\notepad.exe[3556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077981360 5 bytes JMP 0000000077ae0460 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779813b0 5 bytes JMP 0000000077ae0450 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077981510 5 bytes JMP 0000000077ae0370 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077981560 5 bytes JMP 0000000077ae0470 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077981570 5 bytes JMP 0000000077ae03e0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077981620 5 bytes JMP 0000000077ae0320 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077981650 5 bytes JMP 0000000077ae03b0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077981670 5 bytes JMP 0000000077ae0390 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779816b0 5 bytes JMP 0000000077ae02e0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077981730 5 bytes JMP 0000000077ae02d0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077981750 5 bytes JMP 0000000077ae0310 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077981790 5 bytes JMP 0000000077ae03c0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779817e0 5 bytes JMP 0000000077ae03f0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077981940 5 bytes JMP 0000000077ae0230 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077981b00 5 bytes JMP 0000000077ae0480 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077981b30 5 bytes JMP 0000000077ae03a0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077981c10 5 bytes JMP 0000000077ae02f0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077981c20 5 bytes JMP 0000000077ae0350 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077981c80 5 bytes JMP 0000000077ae0290 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077981d10 5 bytes JMP 0000000077ae02b0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077981d30 5 bytes JMP 0000000077ae03d0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077981d40 5 bytes JMP 0000000077ae0330 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077981db0 5 bytes JMP 0000000077ae0410 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077981de0 5 bytes JMP 0000000077ae0240 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779820a0 5 bytes JMP 0000000077ae01e0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077982160 5 bytes JMP 0000000077ae0250 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077982190 5 bytes JMP 0000000077ae0490 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779821a0 5 bytes JMP 0000000077ae04a0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779821d0 5 bytes JMP 0000000077ae0300 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779821e0 5 bytes JMP 0000000077ae0360 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077982240 5 bytes JMP 0000000077ae02a0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077982290 5 bytes JMP 0000000077ae02c0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779822c0 5 bytes JMP 0000000077ae0380 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779822d0 5 bytes JMP 0000000077ae0340 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779825c0 5 bytes JMP 0000000077ae0440 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779827c0 5 bytes JMP 0000000077ae0260 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779827d0 5 bytes JMP 0000000077ae0270 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779827e0 5 bytes JMP 0000000077ae0400 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779829a0 5 bytes JMP 0000000077ae01f0 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779829b0 5 bytes JMP 0000000077ae0210 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077982a20 5 bytes JMP 0000000077ae0200 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077982a80 5 bytes JMP 0000000077ae0420 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077982a90 5 bytes JMP 0000000077ae0430 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077982aa0 5 bytes JMP 0000000077ae0220 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077982b80 5 bytes JMP 0000000077ae0280 .text C:\Windows\system32\msiexec.exe[3624] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007786ef8d 1 byte [62] .text C:\Users\admin\Desktop\Nowy folder (9)\7xsxuqqy.exe[4332] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bda2fd 1 byte [62] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExAllocatePoolWithTag] [fffff8800198ec18] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoAcquireRemoveLockEx] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeQueryActiveProcessors] [fffff8800198d96c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoDeleteSymbolicLink] [fffff8800198ebc8] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExFreePoolWithTag] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoRegisterShutdownNotification] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlInitUnicodeString] [fffff8800198ebc0] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoDeleteDevice] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlAppendUnicodeToString] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeInitializeEvent] [fffff8800198ebd0] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeInitializeDpc] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeSetTimerEx] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoUnregisterShutdownNotification] [fffff8800198ebc4] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!InitSafeBootMode] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoReleaseRemoveLockAndWaitEx] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoIsWdmVersionAvailable] [fffff8800198ebe0] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExDeleteResourceLite] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoCreateSymbolicLink] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlCopyUnicodeString] [fffff8800198ebd8] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoInitializeRemoveLockEx] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExInitializeResourceLite] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeInitializeTimerEx] [fffff8800198ebe8] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeCancelTimer] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmUnmapLockedPages] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmFreeContiguousMemory] [fffff8800198ebdc] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmUnmapIoSpace] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmMapIoSpace] [fffff8800198ebf8] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmFreePagesFromMdl] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExAcquireResourceExclusiveLite] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeLeaveCriticalRegion] [fffff8800198ebf0] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoReleaseRemoveLockEx] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoFreeMdl] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeEnterCriticalRegion] [fffff8800198ec00] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExAcquireResourceSharedLite] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExReleaseResourceLite] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IofCompleteRequest] [fffff8800198ebf4] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmProbeAndLockPages] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmUnlockPages] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoAllocateMdl] [fffff8800198ec10] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlDeleteElementGenericTableAvl] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlInsertElementGenericTableAvl] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsLookupProcessByProcessId] [fffff8800198ec08] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeUnstackDetachProcess] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlIsGenericTableEmptyAvl] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlInitializeGenericTableAvl] [fffff8800198ed78] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlEnumerateGenericTableAvl] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ObfDereferenceObject] [fffff8800198d96c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlLookupElementGenericTableAvl] [fffff8800198ec88] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeStackAttachProcess] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsGetProcessWin32Process] [fffff8800198d958] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoFreeWorkItem] [fffff8800198ec28] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoGetCurrentProcess] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoAllocateWorkItem] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmIsAddressValid] [fffff8800198ec0c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoQueueWorkItem] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExUnregisterCallback] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwCreateKey] [fffff8800198ec38] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeResetEvent] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsSetLoadImageNotifyRoutine] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeSetPriorityThread] [fffff8800198ec30] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeSetEvent] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlCheckRegistryKey] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsSetCreateProcessNotifyRoutine] [fffff8800198ec40] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmAllocatePagesForMdl] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmGetPhysicalAddress] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsCreateSystemThread] [fffff8800198ec34] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwQueryValueKey] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsTerminateSystemThread] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwClose] [fffff8800198ec50] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ObReferenceObjectByHandle] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeWaitForSingleObject] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine] [fffff8800198ec48] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExRegisterCallback] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsThreadType] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlCompareUnicodeString] [fffff8800198ec58] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeSetSystemAffinityThread] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeWaitForMultipleObjects] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmGetPhysicalMemoryRanges] [fffff8800198ec4c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExCreateCallback] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmAllocateContiguousMemorySpecifyCache] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!DbgPrint] [fffff8800198ec68] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmFreeMappingAddress] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmAllocateMappingAddress] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ProbeForRead] [fffff8800198ec60] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExGetPreviousMode] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmGetSystemRoutineAddress] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoCreateDevice] [fffff8800198ec70] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ObOpenObjectByPointer] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwSetSecurityObject] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoDeviceObjectType] [fffff8800198ec64] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!_snwprintf] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlLengthSecurityDescriptor] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!SeCaptureSecurityDescriptor] [fffff8800198ec80] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlCreateSecurityDescriptor] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlSetDaclSecurityDescriptor] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlAbsoluteToSelfRelativeSD] [fffff8800198ec78] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!SeExports] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!wcschr] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!_wcsnicmp] [fffff8800198ecf8] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlLengthSid] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlAddAccessAllowedAce] [fffff8800198d958] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlGetSaclSecurityDescriptor] [fffff8800198ec98] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlGetDaclSecurityDescriptor] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlGetGroupSecurityDescriptor] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlGetOwnerSecurityDescriptor] [fffff8800198ec7c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwOpenKey] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwSetValueKey] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlFreeUnicodeString] [fffff8800198eca8] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeBugCheckEx] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwMapViewOfSection] [fffff8800198d964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwUnmapViewOfSection] [fffff8800198eca0] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwCreateSection] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwOpenFile] [fffff8800198d95c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!__C_specific_handler] [fffff8800198ecb0] \SystemRoot\System32\Drivers\aswVmm.sys [.text] ---- Processes - GMER 2.1 ---- Library C:\Users\admin\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1556] (GG drive menu/GG Network S.A.)(201 000000005ff80000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ????????uwddakob????\\.\Usbscan0ca???????&???????????????????????????????&???????????????????????????t???&???????i???????????????????e??H?????????????????????????????????????????*??????:??????????????? ?????????????????????0?????????????????????????????????????$??????????????????????????ta??? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0?????????????????????????????m?????????????????????????????????? ???????? ?????????????????????0??????????b?????????????????????????????????????t???????????????????ro??? ???????s?????exe??????? z?????? ???????4??\BaseNamedObjects\WDI_{e0d69a9e-141d-45e3-8799-3f907c2bbe22}????? 0??????1???????????????????????????O??????????????????? 0?????????????????????????????????????????????????????????????????????????????????pe??????????????? H??? ??~???????~??? ????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167259976 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167259976@80501becf022 0xC3 0xA2 0xA2 0x90 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167259976 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167259976@80501becf022 0xC3 0xA2 0xA2 0x90 ... ---- EOF - GMER 2.1 ----