GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-01-20 22:46:05 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-6 SAMSUNG_HD103SJ rev.1AJ10001 931,51GB Running: lxxsf385.exe; Driver: C:\Users\mati\AppData\Local\Temp\ugldapob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000149b10460 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000149b10450 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000149b10370 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000149b10470 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000149b103e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000149b10320 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000149b103b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000149b10390 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000149b102e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000149b102d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000149b10310 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000149b103c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000149b103f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000149b10230 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000149b10480 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000149b103a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000149b102f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000149b10350 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000149b10290 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000149b102b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000149b103d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000149b10330 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000149b10410 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000149b10240 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000149b101e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000149b10250 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000149b10490 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000149b104a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000149b10300 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000149b10360 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000149b102a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000149b102c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000149b10380 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000149b10340 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000149b10440 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000149b10260 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000149b10270 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000149b10400 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000149b101f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000149b10210 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000149b10200 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000149b10420 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000149b10430 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000149b10220 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000149b10280 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000149b10460 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000149b10450 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000149b10370 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000149b10470 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000149b103e0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000149b10320 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000149b103b0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000149b10390 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000149b102e0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000149b102d0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000149b10310 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000149b103c0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000149b103f0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000149b10230 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000149b10480 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000149b103a0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000149b102f0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000149b10350 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000149b10290 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000149b102b0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000149b103d0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000149b10330 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000149b10410 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000149b10240 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000149b101e0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000149b10250 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000149b10490 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000149b104a0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000149b10300 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000149b10360 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000149b102a0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000149b102c0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000149b10380 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000149b10340 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000149b10440 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000149b10260 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000149b10270 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000149b10400 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000149b101f0 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000149b10210 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000149b10200 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000149b10420 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000149b10430 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000149b10220 .text C:\Windows\system32\csrss.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000149b10280 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\wininit.exe[504] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\services.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\services.exe[604] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\atiesrxx.exe[892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[964] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\AUDIODG.EXE[336] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\atieclxx.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1380] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007598a2ba 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b01465 2 bytes [B0, 75] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b014bb 2 bytes [B0, 75] .text ... * 2 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\svchost.exe[1584] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1672] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007598a2ba 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1740] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007598a2ba 1 byte [62] .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text c:\Program Files\Bonjour\mDNSResponder.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1932] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1980] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007598a2ba 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1980] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000075481a22 2 bytes [48, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1980] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000075481ad0 2 bytes [48, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1980] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000075481b08 2 bytes [48, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1980] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000075481bba 2 bytes [48, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1980] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000075481bda 2 bytes [48, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b01465 2 bytes [B0, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b014bb 2 bytes [B0, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[1988] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007598a2ba 1 byte [62] .text C:\Program Files (x86)\Prime95\prime95.exe[2032] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007598a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1292] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000100070460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000100070450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000100070370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000100070470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 00000001000703e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000100070320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 00000001000703b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000100070390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 00000001000702e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 00000001000702d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000100070310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 00000001000703c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 00000001000703f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000100070230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000100070480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 00000001000703a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 00000001000702f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000100070350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000100070290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 00000001000702b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 00000001000703d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000100070330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000100070410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000100070240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 00000001000701e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000100070250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000100070490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 00000001000704a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000100070300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000100070360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 00000001000702a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 00000001000702c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000100070380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000100070340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000100070440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000100070260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000100070270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000100070400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 00000001000701f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000100070210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000100070200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000100070420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000100070430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000100070220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1788] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[2072] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007598a2ba 1 byte [62] .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\taskhost.exe[2604] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\taskeng.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\Dwm.exe[2736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\Explorer.EXE[2764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\Explorer.EXE[2764] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\taskeng.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Windows\SysWOW64\ntdll.dll!DbgUserBreakPoint 0000000077bf0008 1 byte [C3] .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 0000000077bf000c 1 byte [C3] .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 0000000077c7f8ea 5 bytes JMP 0000000177c2d5c1 .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007598a2ba 1 byte [62] .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Program Files (x86)\Garena Plus\ggspawn.dll!_ExtExecAPI@0 + 5 000000006fbd5fd5 16 bytes [84, 05, 94, 0F, C2, 6F, 75, ...] .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Program Files (x86)\Garena Plus\ggspawn.dll!_ExtExecAPI@0 + 24 000000006fbd5fe8 9 bytes [68, 10, D1, C0, 6F, E8, 4A, ...] .text ... * 63 .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Program Files (x86)\Garena Plus\ggspawn.dll!DllUnregisterServer + 6 000000006fbddba6 12 bytes [A1, 48, B5, C1, 6F, 33, C4, ...] .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Program Files (x86)\Garena Plus\ggspawn.dll!DllUnregisterServer + 20 000000006fbddbb4 24 bytes [33, C0, 56, 66, 89, 44, 24, ...] .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Program Files (x86)\Garena Plus\ggspawn.dll!DllUnregisterServer + 114 000000006fbddc12 4 bytes [C7, 44, 24, 20] .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Program Files (x86)\Garena Plus\ggspawn.dll!DllUnregisterServer + 748 000000006fbdde8c 18 bytes [33, D2, 6A, 01, B8, E0, 22, ...] .text ... * 13 .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Program Files (x86)\Garena Plus\ggspawn.dll!DllRegisterServer + 16 000000006fbde0e0 3 bytes [E8, BB, 53] .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Program Files (x86)\Garena Plus\ggspawn.dll!DllRegisterServer + 21 000000006fbde0e5 25 bytes [83, C4, 04, 33, C0, C3, CC, ...] .text ... * 45 .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Program Files (x86)\Garena Plus\ggspawn.dll!rundll_entryW + 12 000000006fbe399c 14 bytes {PUSH RBX; PUSH RSI; PUSH RDI; CALL 0xffffffffffff0f64} .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Program Files (x86)\Garena Plus\ggspawn.dll!rundll_entryW + 28 000000006fbe39ac 4 bytes [E8, 6E, 6F, 07] .text C:\Windows\SysWOW64\rundll32.exe[2908] C:\Program Files (x86)\Garena Plus\ggspawn.dll!rundll_entryW + 158 000000006fbe3a2e 1 byte [6A] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3568] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007598a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\svchost.exe[3856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Windows\system32\SearchIndexer.exe[3948] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007793eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a51360 5 bytes JMP 0000000077bb0460 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a513b0 5 bytes JMP 0000000077bb0450 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a51510 5 bytes JMP 0000000077bb0370 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a51560 5 bytes JMP 0000000077bb0470 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a51570 5 bytes JMP 0000000077bb03e0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a51620 5 bytes JMP 0000000077bb0320 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a51650 5 bytes JMP 0000000077bb03b0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a51670 5 bytes JMP 0000000077bb0390 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a516b0 5 bytes JMP 0000000077bb02e0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a51730 5 bytes JMP 0000000077bb02d0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a51750 5 bytes JMP 0000000077bb0310 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a51790 5 bytes JMP 0000000077bb03c0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a517e0 5 bytes JMP 0000000077bb03f0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a51940 5 bytes JMP 0000000077bb0230 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a51b00 5 bytes JMP 0000000077bb0480 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a51b30 5 bytes JMP 0000000077bb03a0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a51c10 5 bytes JMP 0000000077bb02f0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a51c20 5 bytes JMP 0000000077bb0350 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a51c80 5 bytes JMP 0000000077bb0290 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a51d10 5 bytes JMP 0000000077bb02b0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a51d30 5 bytes JMP 0000000077bb03d0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a51d40 5 bytes JMP 0000000077bb0330 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a51db0 5 bytes JMP 0000000077bb0410 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a51de0 5 bytes JMP 0000000077bb0240 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a520a0 5 bytes JMP 0000000077bb01e0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a52160 5 bytes JMP 0000000077bb0250 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a52190 5 bytes JMP 0000000077bb0490 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a521a0 5 bytes JMP 0000000077bb04a0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a521d0 5 bytes JMP 0000000077bb0300 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a521e0 5 bytes JMP 0000000077bb0360 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a52240 5 bytes JMP 0000000077bb02a0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a52290 5 bytes JMP 0000000077bb02c0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a522c0 5 bytes JMP 0000000077bb0380 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a522d0 5 bytes JMP 0000000077bb0340 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a525c0 5 bytes JMP 0000000077bb0440 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a527c0 5 bytes JMP 0000000077bb0260 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a527d0 5 bytes JMP 0000000077bb0270 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a527e0 5 bytes JMP 0000000077bb0400 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a529a0 5 bytes JMP 0000000077bb01f0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a529b0 5 bytes JMP 0000000077bb0210 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a52a20 5 bytes JMP 0000000077bb0200 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a52a80 5 bytes JMP 0000000077bb0420 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a52a90 5 bytes JMP 0000000077bb0430 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a52aa0 5 bytes JMP 0000000077bb0220 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a52b80 5 bytes JMP 0000000077bb0280 .text C:\Users\mati\Desktop\lxxsf385.exe[4480] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007598a2ba 1 byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\svchost.exe[364] @ C:\Windows\system32\qmgrprxy.dll[msvcrt.dll!memset] [0] IAT C:\Windows\system32\svchost.exe[364] @ C:\Windows\system32\qmgrprxy.dll[msvcrt.dll!__CxxFrameHandler3] [0] IAT C:\Windows\system32\svchost.exe[364] @ C:\Windows\system32\qmgrprxy.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [0] IAT C:\Windows\system32\svchost.exe[364] @ C:\Windows\system32\qmgrprxy.dll[msvcrt.dll!free] [0] IAT C:\Windows\system32\svchost.exe[364] @ C:\Windows\system32\qmgrprxy.dll[msvcrt.dll!_initterm] [0] IAT C:\Windows\system32\svchost.exe[364] @ C:\Windows\system32\qmgrprxy.dll[msvcrt.dll!malloc] [4a5bc17400000000] IAT C:\Windows\system32\svchost.exe[364] @ C:\Windows\system32\qmgrprxy.dll[msvcrt.dll!_XcptFilter] [200000000] IAT C:\Windows\system32\svchost.exe[364] @ C:\Windows\system32\qmgrprxy.dll[msvcrt.dll!_CxxThrowException] [1c2400000025] IAT C:\Windows\system32\svchost.exe[364] @ C:\Windows\system32\qmgrprxy.dll[ntdll.dll!RtlLookupFunctionEntry] [0] IAT C:\Windows\system32\svchost.exe[364] @ C:\Windows\system32\qmgrprxy.dll[RPCRT4.dll!CStdStubBuffer_IsIIDSupported] [0] ---- EOF - GMER 2.1 ----