GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-11 11:04:17 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: nkegnm4e.exe; Driver: C:\Users\HP\AppData\Local\Temp\uxrdipod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800035f4000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800035f402f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff8800443ad8c 12 bytes {MOV RAX, 0xfffffa8006e122a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000001496b0460 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000001496b0450 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000001496b0370 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000001496b0470 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000001496b03e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000001496b0320 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000001496b03b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000001496b0390 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000001496b02e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000001496b02d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000001496b0310 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000001496b03c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000001496b03f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000001496b0230 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000001496b0480 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000001496b03a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000001496b02f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000001496b0350 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000001496b0290 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000001496b02b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000001496b03d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000001496b0330 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000001496b0410 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000001496b0240 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000001496b01e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000001496b0250 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000001496b0490 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000001496b04a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000001496b0300 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000001496b0360 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000001496b02a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000001496b02c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000001496b0380 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000001496b0340 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000001496b0440 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000001496b0260 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000001496b0270 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000001496b0400 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000001496b01f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000001496b0210 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000001496b0200 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000001496b0420 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000001496b0430 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000001496b0220 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000001496b0280 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000001496b0460 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000001496b0450 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000001496b0370 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000001496b0470 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000001496b03e0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000001496b0320 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000001496b03b0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000001496b0390 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000001496b02e0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000001496b02d0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000001496b0310 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000001496b03c0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000001496b03f0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000001496b0230 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000001496b0480 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000001496b03a0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000001496b02f0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000001496b0350 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000001496b0290 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000001496b02b0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000001496b03d0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000001496b0330 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000001496b0410 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000001496b0240 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000001496b01e0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000001496b0250 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000001496b0490 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000001496b04a0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000001496b0300 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000001496b0360 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000001496b02a0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000001496b02c0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000001496b0380 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000001496b0340 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000001496b0440 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000001496b0260 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000001496b0270 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000001496b0400 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000001496b01f0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000001496b0210 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000001496b0200 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000001496b0420 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000001496b0430 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000001496b0220 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000001496b0280 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\wininit.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\wininit.exe[632] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 0000000100040460 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 0000000100040450 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 0000000100040370 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 0000000100040470 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000001000403e0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 0000000100040320 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000001000403b0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 0000000100040390 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000001000402e0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000001000402d0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 0000000100040310 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000001000403c0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000001000403f0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 0000000100040230 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 0000000100040480 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000001000403a0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000001000402f0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 0000000100040350 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 0000000100040290 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000001000402b0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000001000403d0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 0000000100040330 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 0000000100040410 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 0000000100040240 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000001000401e0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 0000000100040250 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 0000000100040490 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000001000404a0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 0000000100040300 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 0000000100040360 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000001000402a0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000001000402c0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 0000000100040380 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 0000000100040340 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 0000000100040440 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 0000000100040260 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 0000000100040270 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 0000000100040400 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000001000401f0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 0000000100040210 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 0000000100040200 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 0000000100040420 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 0000000100040430 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 0000000100040220 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 0000000100040280 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\services.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\services.exe[728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\lsass.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\lsm.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\atiesrxx.exe[1016] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\System32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Program Files (x86)\iSafe\iSafeSvc2.exe[1052] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Program Files\IDT\WDM\STacSV64.exe[1260] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\AUDIODG.EXE[1332] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\atieclxx.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\svchost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\Dwm.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\Explorer.EXE[1448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\Explorer.EXE[1448] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Program Files (x86)\iSafe\iSafeTray.exe[1876] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\iSafe\iSafeTray.exe[1876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files (x86)\iSafe\iSafeTray.exe[1876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\System32\spoolsv.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Program Files\AVAST Software\Avast\afwServ.exe[2268] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075e98791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[2268] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2392] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files\IDT\WDM\AESTSr64.exe[2420] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2460] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2524] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[2840] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[748] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2968] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2968] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2968] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2916] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 0000000171b10460 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 0000000171b10450 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 0000000171b10370 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 0000000171b10470 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 0000000171b103e0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 0000000171b10320 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 0000000171b103b0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 0000000171b10390 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 0000000171b102e0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 0000000171b102d0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 0000000171b10310 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 0000000171b103c0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 0000000171b103f0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 0000000171b10230 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 0000000171b10480 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 0000000171b103a0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 0000000171b102f0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 0000000171b10350 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 0000000171b10290 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 0000000171b102b0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 0000000171b103d0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 0000000171b10330 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 0000000171b10410 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 0000000171b10240 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 0000000171b101e0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 0000000171b10250 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 0000000171b10490 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 0000000171b104a0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 0000000171b10300 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 0000000171b10360 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 0000000171b102a0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 0000000171b102c0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 0000000171b10380 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 0000000171b10340 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 0000000171b10440 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 0000000171b10260 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 0000000171b10270 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 0000000171b10400 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 0000000171b101f0 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 0000000171b10210 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 0000000171b10200 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 0000000171b10420 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 0000000171b10430 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 0000000171b10220 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 0000000171b10280 .text C:\Windows\System32\svchost.exe[2456] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 0000000171b10460 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 0000000171b10450 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 0000000171b10370 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 0000000171b10470 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 0000000171b103e0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 0000000171b10320 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 0000000171b103b0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 0000000171b10390 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 0000000171b102e0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 0000000171b102d0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 0000000171b10310 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 0000000171b103c0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 0000000171b103f0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 0000000171b10230 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 0000000171b10480 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 0000000171b103a0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 0000000171b102f0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 0000000171b10350 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 0000000171b10290 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 0000000171b102b0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 0000000171b103d0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 0000000171b10330 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 0000000171b10410 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 0000000171b10240 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 0000000171b101e0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 0000000171b10250 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 0000000171b10490 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 0000000171b104a0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 0000000171b10300 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 0000000171b10360 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 0000000171b102a0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 0000000171b102c0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 0000000171b10380 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 0000000171b10340 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 0000000171b10440 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 0000000171b10260 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 0000000171b10270 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 0000000171b10400 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 0000000171b101f0 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 0000000171b10210 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 0000000171b10200 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 0000000171b10420 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 0000000171b10430 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 0000000171b10220 .text C:\Windows\system32\svchost.exe[3256] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 0000000171b10280 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 0000000171b10460 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 0000000171b10450 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 0000000171b10370 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 0000000171b10470 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 0000000171b103e0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 0000000171b10320 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 0000000171b103b0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 0000000171b10390 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 0000000171b102e0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 0000000171b102d0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 0000000171b10310 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 0000000171b103c0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 0000000171b103f0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 0000000171b10230 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 0000000171b10480 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 0000000171b103a0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 0000000171b102f0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 0000000171b10350 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 0000000171b10290 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 0000000171b102b0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 0000000171b103d0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 0000000171b10330 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 0000000171b10410 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 0000000171b10240 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 0000000171b101e0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 0000000171b10250 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 0000000171b10490 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 0000000171b104a0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 0000000171b10300 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 0000000171b10360 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 0000000171b102a0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 0000000171b102c0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 0000000171b10380 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 0000000171b10340 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 0000000171b10440 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 0000000171b10260 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 0000000171b10270 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 0000000171b10400 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 0000000171b101f0 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 0000000171b10210 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 0000000171b10200 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 0000000171b10420 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 0000000171b10430 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 0000000171b10220 .text C:\Windows\system32\svchost.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 0000000171b10280 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 0000000171b10460 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 0000000171b10450 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 0000000171b10370 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 0000000171b10470 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 0000000171b103e0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 0000000171b10320 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 0000000171b103b0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 0000000171b10390 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 0000000171b102e0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 0000000171b102d0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 0000000171b10310 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 0000000171b103c0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 0000000171b103f0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 0000000171b10230 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 0000000171b10480 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 0000000171b103a0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 0000000171b102f0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 0000000171b10350 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 0000000171b10290 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 0000000171b102b0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 0000000171b103d0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 0000000171b10330 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 0000000171b10410 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 0000000171b10240 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 0000000171b101e0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 0000000171b10250 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 0000000171b10490 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 0000000171b104a0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 0000000171b10300 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 0000000171b10360 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 0000000171b102a0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 0000000171b102c0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 0000000171b10380 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 0000000171b10340 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 0000000171b10440 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 0000000171b10260 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 0000000171b10270 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 0000000171b10400 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 0000000171b101f0 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 0000000171b10210 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 0000000171b10200 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 0000000171b10420 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 0000000171b10430 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 0000000171b10220 .text C:\Windows\system32\svchost.exe[4364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 0000000171b10280 .text C:\Program Files (x86)\iSafe\ipcdl.exe[4788] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files\IDT\WDM\sttray64.exe[4996] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\System32\igfxtray.exe[5004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\System32\hkcmd.exe[5012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\System32\igfxpers.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[256] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[1636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4580] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[4748] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000000771a0460 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000000771a0450 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000000771a0370 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000000771a0470 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000000771a03e0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000000771a0320 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000000771a03b0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000000771a0390 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000000771a02e0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000000771a02d0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000000771a0310 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000000771a03c0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000000771a03f0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000000771a0230 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000000771a0480 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000000771a03a0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000000771a02f0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000000771a0350 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000000771a0290 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000000771a02b0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000000771a03d0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000000771a0330 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000000771a0410 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000000771a0240 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000000771a01e0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000000771a0250 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000000771a0490 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000000771a04a0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000000771a0300 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000000771a0360 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000000771a02a0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000000771a02c0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000000771a0380 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000000771a0340 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000000771a0440 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000000771a0260 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000000771a0270 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000000771a0400 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000000771a01f0 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000000771a0210 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000000771a0200 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000000771a0420 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000000771a0430 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000000771a0220 .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000000771a0280 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2764] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\AutoInstall\ZD1211B_Auto_Install_CD_Only_Gen_0ACE20FF\AutoEJCD.EXE[2832] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[4728] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4892] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\avastui.exe[3740] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075e98791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3740] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[5276] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe[5440] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[5972] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[5972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[5972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 0000000100200460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 0000000100200450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 0000000100200370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 0000000100200470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000001002003e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 0000000100200320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000001002003b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 0000000100200390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000001002002e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000001002002d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 0000000100200310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000001002003c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000001002003f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 0000000100200230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 0000000100200480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000001002003a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000001002002f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 0000000100200350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 0000000100200290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000001002002b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000001002003d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 0000000100200330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 0000000100200410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 0000000100200240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000001002001e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 0000000100200250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 0000000100200490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000001002004a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 0000000100200300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 0000000100200360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000001002002a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000001002002c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 0000000100200380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 0000000100200340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 0000000100200440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 0000000100200260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 0000000100200270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 0000000100200400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000001002001f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 0000000100200210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 0000000100200200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 0000000100200420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 0000000100200430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 0000000100200220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 0000000100200280 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[3016] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3592] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5740] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5928] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 00000001001d0460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 00000001001d0450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 00000001001d0370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 00000001001d0470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000001001d03e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 00000001001d0320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000001001d03b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 00000001001d0390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000001001d02e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000001001d02d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 00000001001d0310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000001001d03c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000001001d03f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 00000001001d0230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 00000001001d0480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000001001d03a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000001001d02f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 00000001001d0350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 00000001001d0290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000001001d02b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000001001d03d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 00000001001d0330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 00000001001d0410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 00000001001d0240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000001001d01e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 00000001001d0250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 00000001001d0490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000001001d04a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 00000001001d0300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 00000001001d0360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000001001d02a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000001001d02c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 00000001001d0380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 00000001001d0340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 00000001001d0440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 00000001001d0260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 00000001001d0270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 00000001001d0400 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000001001d01f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 00000001001d0210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 00000001001d0200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 00000001001d0420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 00000001001d0430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 00000001001d0220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 00000001001d0280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1684] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076f2ef8d 1 byte [62] .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077041360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770413b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077041510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077041560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077041570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077041620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077041650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077041670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770416b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077041730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077041750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077041790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770417e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077041940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077041b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077041b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077041c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077041c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077041c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077041d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077041d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077041d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077041db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077041de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770420a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077042160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077042190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770421a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770421d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770421e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077042240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077042290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770422c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770422d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770425c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770427c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770427d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770427e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770429a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770429b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077042a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077042a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077042a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077042aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\wuauclt.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077042b80 5 bytes JMP 0000000100070280 .text C:\Users\HP\Desktop\nkegnm4e.exe[5556] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eba2fd 1 byte [62] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001091f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001091cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800109269c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001092a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010928f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\JMCR \Device\Scsi\JMCR3Port3Path0TargetffLun0 fffffa8006e292c0 Device \Driver\aw39ohw4 \Device\Scsi\aw39ohw41Port4Path0Target0Lun0 fffffa8006eab2c0 Device \Driver\JMCR \Device\Scsi\JMCR1 fffffa8006e292c0 Device \Driver\JMCR \Device\Scsi\JMCR2Port2Path0TargetffLun0 fffffa8006e292c0 Device \Driver\JMCR \Device\Scsi\JMCR2 fffffa8006e292c0 Device \Driver\JMCR \Device\Scsi\JMCR3 fffffa8006e292c0 Device \Driver\JMCR \Device\Scsi\JMCR1Port1Path0TargetffLun0 fffffa8006e292c0 Device \Driver\aw39ohw4 \Device\Scsi\aw39ohw41 fffffa8006eab2c0 Device \FileSystem\Ntfs \Ntfs fffffa8003fa82c0 Device \FileSystem\fastfat \Fat fffffa800cbb22c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{DEEB98BC-0AF3-4EF4-A352-51D3441AF8BD} fffffa80054962c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{B5ADE262-F13E-4B6B-992F-76D6C719DF98} fffffa80054962c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8006e152c0 Device \Driver\cdrom \Device\CdRom0 fffffa80053e52c0 Device \Driver\cdrom \Device\CdRom1 fffffa80053e52c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{6D57B49D-C47D-42ED-BA5C-F116ADBB7921} fffffa80054962c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8006e152c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8006e152c0 Device \Driver\USBSTOR \Device\00000086 fffffa80076f52c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1C684471-6122-4FC5-AD1E-E921422682B9} fffffa80054962c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80054962c0 Device \Driver\USBSTOR \Device\00000087 fffffa80076f52c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8006e152c0 Device \Driver\JMCR \Device\ScsiPort1 fffffa8006e292c0 Device \Driver\JMCR \Device\ScsiPort2 fffffa8006e292c0 Device \Driver\JMCR \Device\ScsiPort3 fffffa8006e292c0 Device \Driver\aw39ohw4 \Device\ScsiPort4 fffffa8006eab2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\aw39ohw4.SYS fffff88006800000-fffff8800684c000 (311296 bytes) ---- Threads - GMER 2.1 ---- Thread [552:1040] 0000000074c37587 Thread [552:1044] 00000000748879e0 Thread [552:1048] 0000000074914e50 Thread [552:1112] 0000000074914c30 Thread [552:1120] 00000000749bb600 Thread [552:1132] 00000000749c0b20 Thread [552:1136] 00000000749bf9a0 Thread [552:1860] 0000000077222e65 Thread [552:3040] 0000000074914c30 Thread [552:2448] 00000000740962ee Thread [552:4484] 0000000072a1ef8b Thread [552:4796] 0000000072a1ef8b Thread [552:4956] 0000000077223e85 Thread [552:6092] 0000000077223e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:2588] 0000000077222e65 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:2784] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:792] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:868] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:716] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:2340] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:2856] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:2780] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:2860] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:2584] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3316] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3320] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3388] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3396] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3456] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3460] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3464] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3468] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3500] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3596] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3604] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3608] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3612] 0000000077223e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3676] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3680] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3684] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3696] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3700] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3704] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3708] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3712] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3716] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:3772] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:4180] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:4184] 000000006fcf29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.INSERTGT\MSSQL\Binn\sqlservr.exe [2992:5288] 0000000077223e85 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@1474115f58f5 0xD5 0x9F 0x05 0x4F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@001edc9066b1 0xB4 0xD4 0x86 0x04 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@001a8ab10ce4 0x41 0x0E 0x0E 0x1B ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@001f5cacfe1b 0xB5 0x87 0x72 0x78 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@ac81f3b2b51a 0x7A 0x5F 0x33 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@0019b74a1e33 0x6A 0xCB 0x81 0x95 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@e839df59129c 0x6A 0x86 0x38 0x07 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@68ed438d527e 0xB3 0x67 0x56 0x06 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x21 0xB5 0x2F 0x40 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xBE 0xEA 0x8E 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xE1 0xD3 0xED 0x6C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@1474115f58f5 0xD5 0x9F 0x05 0x4F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@001edc9066b1 0xB4 0xD4 0x86 0x04 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@001a8ab10ce4 0x41 0x0E 0x0E 0x1B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@001f5cacfe1b 0xB5 0x87 0x72 0x78 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@ac81f3b2b51a 0x7A 0x5F 0x33 0xFB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@0019b74a1e33 0x6A 0xCB 0x81 0x95 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@e839df59129c 0x6A 0x86 0x38 0x07 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e3fc80@68ed438d527e 0xB3 0x67 0x56 0x06 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x21 0xB5 0x2F 0x40 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xBE 0xEA 0x8E 0xBF ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xE1 0xD3 0xED 0x6C ... ---- EOF - GMER 2.1 ----