GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-07 21:45:28 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200AAKS-00VYA0 rev.12.01B02 298,09GB Running: s42ku1rb.exe; Driver: C:\Users\Dom\AppData\Local\Temp\uxriqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 000000014a020460 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 000000014a020450 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 000000014a020370 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 000000014a020470 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 000000014a0203e0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 000000014a020320 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 000000014a0203b0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 000000014a020390 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 000000014a0202e0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 000000014a0202d0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 000000014a020310 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 000000014a0203c0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 000000014a0203f0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 000000014a020230 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0xffffffffd25ae890} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 000000014a020480 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 000000014a0203a0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 000000014a0202f0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 000000014a020350 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 000000014a020290 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 000000014a0202b0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 000000014a0203d0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 000000014a020330 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0xffffffffd25ae590} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 000000014a020410 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 000000014a020240 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 000000014a0201e0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 000000014a020250 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0xffffffffd25ae090} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 000000014a020490 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 000000014a0204a0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 000000014a020300 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 000000014a020360 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 000000014a0202a0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 000000014a0202c0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 000000014a020380 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 000000014a020340 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 000000014a020440 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 000000014a020260 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 000000014a020270 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 000000014a020400 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 000000014a0201f0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 000000014a020210 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 000000014a020200 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 000000014a020420 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 000000014a020430 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 000000014a020220 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 000000014a020280 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\system32\wininit.exe[540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 000000014a020460 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 000000014a020450 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 000000014a020370 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 000000014a020470 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 000000014a0203e0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 000000014a020320 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 000000014a0203b0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 000000014a020390 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 000000014a0202e0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 000000014a0202d0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 000000014a020310 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 000000014a0203c0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 000000014a0203f0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 000000014a020230 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0xffffffffd25ae890} .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 000000014a020480 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 000000014a0203a0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 000000014a0202f0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 000000014a020350 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 000000014a020290 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 000000014a0202b0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 000000014a0203d0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 000000014a020330 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0xffffffffd25ae590} .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 000000014a020410 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 000000014a020240 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 000000014a0201e0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 000000014a020250 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0xffffffffd25ae090} .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 000000014a020490 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 000000014a0204a0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 000000014a020300 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 000000014a020360 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 000000014a0202a0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 000000014a0202c0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 000000014a020380 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 000000014a020340 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 000000014a020440 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 000000014a020260 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 000000014a020270 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 000000014a020400 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 000000014a0201f0 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 000000014a020210 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 000000014a020200 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 000000014a020420 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 000000014a020430 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 000000014a020220 .text C:\Windows\system32\csrss.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 000000014a020280 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\system32\winlogon.exe[664] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\system32\nvvsvc.exe[860] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[948] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\System32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\System32\svchost.exe[252] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\system32\svchost.exe[364] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0xffffffff885fe890} .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0xffffffff885fe590} .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0xffffffff885fe090} .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files\Alwil Software\Avast5\afwServ.exe[1292] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000769da322 1 byte [62] .text C:\Program Files\Alwil Software\Avast5\afwServ.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000761b1465 2 bytes [1B, 76] .text C:\Program Files\Alwil Software\Avast5\afwServ.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761b14bb 2 bytes [1B, 76] .text ... * 2 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\atieclxx.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000100070460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000100070450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000100070370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000100070470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 00000001000703e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000100070320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 00000001000703b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000100070390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 00000001000702e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 00000001000702d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000100070310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 00000001000703c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 00000001000703f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000100070230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0xffffffff885fe890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000100070480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 00000001000703a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 00000001000702f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000100070350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000100070290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 00000001000702b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 00000001000703d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000100070330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0xffffffff885fe590} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000100070410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000100070240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 00000001000701e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000100070250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0xffffffff885fe090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000100070490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 00000001000704a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000100070300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000100070360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 00000001000702a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 00000001000702c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000100070380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000100070340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000100070440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000100070260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000100070270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000100070400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 00000001000701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000100070210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000100070200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000100070420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000100070430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000100070220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000100070280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1228] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000100060460 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000100060450 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000100060370 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000100060470 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000100060320 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 00000001000603b0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000100060390 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000100060310 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 00000001000603c0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000100060230 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0xffffffff885ee890} .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000100060480 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 00000001000603a0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000100060350 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000100060290 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 00000001000603d0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000100060330 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0xffffffff885ee590} .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000100060410 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000100060240 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 00000001000601e0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000100060250 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0xffffffff885ee090} .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000100060490 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 00000001000604a0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000100060300 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000100060360 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 00000001000602a0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 00000001000602c0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000100060380 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000100060340 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000100060440 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000100060260 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000100060270 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000100060400 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 00000001000601f0 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000100060210 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000100060200 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000100060420 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000100060430 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000100060220 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000100060280 .text C:\Windows\system32\taskhost.exe[2132] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\Dwm.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\Explorer.EXE[2280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\Explorer.EXE[2280] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\vsnp325.exe[2524] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000769da322 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2544] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Program Files\Windows Sidebar\sidebar.exe[2552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\SysWOW64\rundll32.exe[2848] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000769da322 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000100070460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000100070450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000100070370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000100070470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 00000001000703e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000100070320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 00000001000703b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000100070390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 00000001000702e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 00000001000702d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000100070310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 00000001000703c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 00000001000703f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000100070230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0xffffffff885fe890} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000100070480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 00000001000703a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 00000001000702f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000100070350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000100070290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 00000001000702b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 00000001000703d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000100070330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0xffffffff885fe590} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000100070410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000100070240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 00000001000701e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000100070250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0xffffffff885fe090} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000100070490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 00000001000704a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000100070300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000100070360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 00000001000702a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 00000001000702c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000100070380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000100070340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000100070440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000100070260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000100070270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000100070400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 00000001000701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000100070210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000100070200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000100070420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000100070430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000100070220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000100070280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2372] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a713c0 5 bytes JMP 0000000077bd0460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a71410 5 bytes JMP 0000000077bd0450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a71570 5 bytes JMP 0000000077bd0370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a715c0 5 bytes JMP 0000000077bd0470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 5 bytes JMP 0000000077bd03e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 5 bytes JMP 0000000077bd0320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a716b0 5 bytes JMP 0000000077bd03b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a716d0 5 bytes JMP 0000000077bd0390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a71710 5 bytes JMP 0000000077bd02e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a71790 5 bytes JMP 0000000077bd02d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 5 bytes JMP 0000000077bd0310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 5 bytes JMP 0000000077bd03c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 5 bytes JMP 0000000077bd03f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a719a0 1 byte JMP 0000000077bd0230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077a719a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 5 bytes JMP 0000000077bd0480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a71b90 5 bytes JMP 0000000077bd03a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a71c70 5 bytes JMP 0000000077bd02f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a71c80 5 bytes JMP 0000000077bd0350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a71ce0 5 bytes JMP 0000000077bd0290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a71d70 5 bytes JMP 0000000077bd02b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 5 bytes JMP 0000000077bd03d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a71da0 1 byte JMP 0000000077bd0330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077a71da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a71e10 5 bytes JMP 0000000077bd0410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a71e40 5 bytes JMP 0000000077bd0240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 5 bytes JMP 0000000077bd01e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a721c0 1 byte JMP 0000000077bd0250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077a721c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a721f0 5 bytes JMP 0000000077bd0490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a72200 5 bytes JMP 0000000077bd04a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a72230 5 bytes JMP 0000000077bd0300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a72240 5 bytes JMP 0000000077bd0360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a722a0 5 bytes JMP 0000000077bd02a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a722f0 5 bytes JMP 0000000077bd02c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a72320 5 bytes JMP 0000000077bd0380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a72330 5 bytes JMP 0000000077bd0340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a72620 5 bytes JMP 0000000077bd0440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a72820 5 bytes JMP 0000000077bd0260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a72830 5 bytes JMP 0000000077bd0270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a72840 5 bytes JMP 0000000077bd0400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 5 bytes JMP 0000000077bd01f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a72a10 5 bytes JMP 0000000077bd0210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 5 bytes JMP 0000000077bd0200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a72ae0 5 bytes JMP 0000000077bd0420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a72af0 5 bytes JMP 0000000077bd0430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 5 bytes JMP 0000000077bd0220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a72be0 5 bytes JMP 0000000077bd0280 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4132] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[4816] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE[4984] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000769b87c9 4 bytes JMP 0000000163995629 .text C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE[4984] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000769da322 1 byte [62] ? C:\Windows\system32\mssprxy.dll [4984] entry point in ".rdata" section 000000006e3271e6 .text C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE[4984] C:\Program Files (x86)\Common Files\SYSTEM\MSMAPI\1045\MSMAPI32.DLL!GetDefCachedModeDownloadPubFoldFavs@4 + 241 000000006dc21ed8 4 bytes [8A, 76, AF, 44] .text C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE[4984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000761b1465 2 bytes [1B, 76] .text C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE[4984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761b14bb 2 bytes [1B, 76] .text ... * 2 .text C:\Users\Dom\Desktop\s42ku1rb.exe[2420] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000769da322 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [252:1032] 000007fefc5ad8f8 Thread C:\Windows\System32\svchost.exe [252:1044] 000007fefc5a5620 Thread C:\Windows\System32\svchost.exe [252:1048] 000007fefc5a6e74 Thread C:\Windows\System32\svchost.exe [252:1100] 000007fefc4affc0 Thread C:\Windows\System32\svchost.exe [252:1120] 000007fefbfe331c Thread C:\Windows\System32\svchost.exe [252:1140] 000007fefbfa31f4 Thread C:\Windows\System32\svchost.exe [252:3516] 000007feef1514a0 Thread C:\Windows\System32\svchost.exe [252:3552] 000007feeefe20c0 Thread C:\Windows\System32\svchost.exe [252:3584] 000007feeefe26a8 Thread C:\Windows\System32\svchost.exe [252:3688] 000007feeefe29dc Thread C:\Windows\System32\svchost.exe [252:3696] 000007feeefe29dc Thread C:\Windows\System32\svchost.exe [252:4036] 000007fefb2044e0 Thread C:\Windows\System32\svchost.exe [252:4592] 000007feee723efc Thread C:\Windows\System32\svchost.exe [252:4656] 000007feee7a8a4c Thread C:\Windows\System32\svchost.exe [252:4856] 000007fefb7788f8 Thread C:\Windows\system32\svchost.exe [1056:3492] 000007fef95e0ea8 Thread C:\Windows\system32\svchost.exe [1056:3520] 000007fef95d9db0 Thread C:\Windows\system32\svchost.exe [1056:3648] 000007fef95daa10 Thread C:\Windows\system32\svchost.exe [1056:3680] 000007fef95e1c94 Thread C:\Windows\system32\svchost.exe [1056:3876] 000007feeee6d3c8 Thread C:\Windows\system32\svchost.exe [1056:3880] 000007feeee6d3c8 Thread C:\Windows\system32\svchost.exe [1056:3884] 000007feeee6d3c8 Thread C:\Windows\system32\svchost.exe [1056:3888] 000007feeee6d3c8 Thread C:\Windows\System32\spoolsv.exe [1440:2016] 000007fef91a10c8 Thread C:\Windows\System32\spoolsv.exe [1440:1568] 000007fef9166144 Thread C:\Windows\System32\spoolsv.exe [1440:1524] 000007fefb435fd0 Thread C:\Windows\System32\spoolsv.exe [1440:1704] 000007fef9143438 Thread C:\Windows\System32\spoolsv.exe [1440:1576] 000007fefb4363ec Thread C:\Windows\System32\spoolsv.exe [1440:2052] 000007fef9235e5c Thread C:\Windows\System32\spoolsv.exe [1440:2056] 000007fef9265090 Thread C:\Windows\system32\svchost.exe [1472:1712] 000007fefb8635c0 Thread C:\Windows\system32\svchost.exe [1472:3420] 000007fefb865600 Thread C:\Windows\system32\svchost.exe [1472:3640] 000007feeeed2940 Thread C:\Windows\system32\svchost.exe [1472:3656] 000007feeeeb2888 Thread C:\Windows\system32\svchost.exe [1472:1740] 000007feeeeb2a40 Thread C:\Windows\system32\svchost.exe [1672:1896] 000007fefb168470 Thread C:\Windows\system32\svchost.exe [1672:1904] 000007fefb172418 Thread C:\Windows\system32\svchost.exe [1672:4484] 000007fefae5f130 Thread C:\Windows\system32\svchost.exe [1672:4508] 000007fefae54734 Thread C:\Windows\system32\svchost.exe [1672:4792] 000007fefae54734 Thread C:\Windows\system32\svchost.exe [1672:5072] 000007feed775ec0 Thread C:\Windows\system32\svchost.exe [1728:1744] 000007feff38a808 Thread C:\Windows\system32\svchost.exe [1728:1796] 000007fefb3d7130 Thread C:\Windows\system32\svchost.exe [1728:1816] 000007fefb3cd5c0 Thread C:\Windows\system32\WUDFHost.exe [3904:4016] 000007feeeb224a0 Thread C:\Windows\System32\svchost.exe [3212:4308] 000007fef5d35170 Thread C:\Windows\System32\svchost.exe [3212:3164] 000007fefae99874 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4132:4360] 000007fefa602ab8 Thread C:\Windows\System32\svchost.exe [2572:2308] 000007feed4a9688 ---- Processes - GMER 2.1 ---- Library C:\Users\Dom\AppData\Roaming\newnext.me\nengine.dll (*** suspicious ***) @ C:\Windows\SysWOW64\rundll32.exe [2848] (NewNext Helper Engine/NewNextDotMe)(2014-02-06 20:22:58) 0000000072730000 ---- EOF - GMER 2.1 ----