GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-05 11:52:09 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006a SAMSUNG_ rev.1AJ1 931,51GB Running: gmer.exe; Driver: C:\Users\user\AppData\Local\Temp\pxddypoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0xffffffff88d8e890} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0xffffffff88d8e590} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0xffffffff88d8e090} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0xffffffff88d8e890} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0xffffffff88d8e590} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0xffffffff88d8e090} .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\system32\services.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\system32\services.exe[656] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\system32\lsass.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\system32\lsm.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\system32\winlogon.exe[856] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\system32\atiesrxx.exe[1008] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\System32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\System32\svchost.exe[484] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Windows\System32\svchost.exe[516] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\system32\AUDIODG.EXE[140] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0xffffffff88cde890} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0xffffffff88cde590} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0xffffffff88cde090} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\system32\atieclxx.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\system32\svchost.exe[1252] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\system32\svchost.exe[1644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0xffffffff88cde890} .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0xffffffff88cde590} .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0xffffffff88cde090} .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\Dwm.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\Explorer.EXE[1804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\Explorer.EXE[1804] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\system32\taskhost.exe[1836] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1900] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1988] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eea2ea 1 byte [62] .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Windows\system32\taskeng.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0xffffffff88cde890} .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0xffffffff88cde590} .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0xffffffff88cde090} .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 0000000100070280 .text C:\Windows\SysWOW64\PnkBstrA.exe[1624] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eea2ea 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1624] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000074e41a22 2 bytes [E4, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1624] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000074e41ad0 2 bytes [E4, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1624] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000074e41b08 2 bytes [E4, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1624] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000074e41bba 2 bytes [E4, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1624] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000074e41bda 2 bytes [E4, 74] .text C:\Windows\system32\svchost.exe[2072] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[3052] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1916] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075ec8799 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1916] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eea2ea 1 byte [62] .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0xffffffff88cde890} .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0xffffffff88cde590} .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0xffffffff88cde090} .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[1136] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 0000000100060460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 0000000100060450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 0000000100060370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 0000000100060470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000001000603e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 0000000100060320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000001000603b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 0000000100060390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000001000602e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000001000602d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 0000000100060310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000001000603c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000001000603f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 0000000100060230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0xffffffff88cce890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 0000000100060480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000001000603a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000001000602f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 0000000100060350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 0000000100060290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000001000602b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000001000603d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 0000000100060330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0xffffffff88cce590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 0000000100060410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 0000000100060240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000001000601e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 0000000100060250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0xffffffff88cce090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 0000000100060490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000001000604a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 0000000100060300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 0000000100060360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000001000602a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000001000602c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 0000000100060380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 0000000100060340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 0000000100060440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 0000000100060260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 0000000100060270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 0000000100060400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000001000601f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 0000000100060210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 0000000100060200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 0000000100060420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 0000000100060430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 0000000100060220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 0000000100060280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[2904] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773913c0 5 bytes JMP 00000000774f0460 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077391410 5 bytes JMP 00000000774f0450 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077391570 5 bytes JMP 00000000774f0370 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773915c0 5 bytes JMP 00000000774f0470 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773915d0 5 bytes JMP 00000000774f03e0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077391680 5 bytes JMP 00000000774f0320 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773916b0 5 bytes JMP 00000000774f03b0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773916d0 5 bytes JMP 00000000774f0390 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077391710 5 bytes JMP 00000000774f02e0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077391790 5 bytes JMP 00000000774f02d0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773917b0 5 bytes JMP 00000000774f0310 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773917f0 5 bytes JMP 00000000774f03c0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077391840 5 bytes JMP 00000000774f03f0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773919a0 1 byte JMP 00000000774f0230 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773919a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077391b60 5 bytes JMP 00000000774f0480 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077391b90 5 bytes JMP 00000000774f03a0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077391c70 5 bytes JMP 00000000774f02f0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077391c80 5 bytes JMP 00000000774f0350 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077391ce0 5 bytes JMP 00000000774f0290 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077391d70 5 bytes JMP 00000000774f02b0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077391d90 5 bytes JMP 00000000774f03d0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077391da0 1 byte JMP 00000000774f0330 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077391da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077391e10 5 bytes JMP 00000000774f0410 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077391e40 5 bytes JMP 00000000774f0240 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077392100 5 bytes JMP 00000000774f01e0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773921c0 1 byte JMP 00000000774f0250 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773921c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773921f0 5 bytes JMP 00000000774f0490 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077392200 5 bytes JMP 00000000774f04a0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077392230 5 bytes JMP 00000000774f0300 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077392240 5 bytes JMP 00000000774f0360 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773922a0 5 bytes JMP 00000000774f02a0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773922f0 5 bytes JMP 00000000774f02c0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077392320 5 bytes JMP 00000000774f0380 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077392330 5 bytes JMP 00000000774f0340 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077392620 5 bytes JMP 00000000774f0440 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077392820 5 bytes JMP 00000000774f0260 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077392830 5 bytes JMP 00000000774f0270 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077392840 5 bytes JMP 00000000774f0400 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077392a00 5 bytes JMP 00000000774f01f0 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077392a10 5 bytes JMP 00000000774f0210 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077392a80 5 bytes JMP 00000000774f0200 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077392ae0 5 bytes JMP 00000000774f0420 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077392af0 5 bytes JMP 00000000774f0430 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077392b00 5 bytes JMP 00000000774f0220 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077392be0 5 bytes JMP 00000000774f0280 .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[2240] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ee7d 1 byte [62] .text C:\Users\user\Desktop\gmer\gmer.exe[3128] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eea2ea 1 byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef49f741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef49f5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef49f5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef49f5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef49f7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef49f6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef49f6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef49f7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef49f7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef49f78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef49f4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef49f5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1500] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef49f7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\Jump Flip\updateJumpFlip.exe (*** suspicious ***) @ C:\Program Files (x86)\Jump Flip\updateJumpFlip.exe [2108] 00000000013c0000 Library C:\Program Files (x86)\Jump Flip\bin\utilJumpFlip.exe (*** suspicious ***) @ C:\Program Files (x86)\Jump Flip\bin\utilJumpFlip.exe [2188] 00000000002d0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167647afa Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167647afa (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Users\user\AppData\Local\Google\Chrome\User Data\lockfile 0 bytes File C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_fcfmdpbbamddodobfneccfclbmjolhfn_0.localstorage 3072 bytes File C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_fcfmdpbbamddodobfneccfclbmjolhfn_0.localstorage-journal 512 bytes File C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\2E29.tmp 0 bytes ---- EOF - GMER 2.1 ----