GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-09-29 22:49:58 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD64 rev.01.0 596,17GB Running: m57g1hli.exe; Driver: C:\Users\Mirek\AppData\Local\Temp\axldikog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 616 fffff960000b50a4 8 bytes [88, 77, F1, 03, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000e4200 7 bytes [40, A3, F3, FF, 01, B5, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000e4208 3 bytes [C0, 06, 02] .text ... * 105 .text C:\Windows\System32\win32k.sys!EngQueryW32kCddInterface + 784 fffff960001a34cc 6 bytes {JMP QWORD [RIP-0xb33ba]} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000149f90460 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000149f90450 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000149f90370 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000149f90470 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 0000000149f903e0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000149f90320 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 0000000149f903b0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000149f90390 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 0000000149f902e0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 0000000149f902d0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000149f90310 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 0000000149f903c0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 0000000149f903f0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000149f90230 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000149f90480 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 0000000149f903a0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 0000000149f902f0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000149f90350 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000149f90290 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 0000000149f902b0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 0000000149f903d0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000149f90330 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000149f90410 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000149f90240 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 0000000149f901e0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000149f90250 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000149f90490 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 0000000149f904a0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000149f90300 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000149f90360 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 0000000149f902a0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 0000000149f902c0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000149f90380 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000149f90340 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000149f90440 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000149f90260 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000149f90270 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000149f90400 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 0000000149f901f0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000149f90210 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000149f90200 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000149f90420 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000149f90430 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000149f90220 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000149f90280 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\wininit.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\system32\wininit.exe[556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000149f90460 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000149f90450 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000149f90370 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000149f90470 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 0000000149f903e0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000149f90320 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 0000000149f903b0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000149f90390 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 0000000149f902e0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 0000000149f902d0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000149f90310 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 0000000149f903c0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 0000000149f903f0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000149f90230 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000149f90480 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 0000000149f903a0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 0000000149f902f0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000149f90350 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000149f90290 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 0000000149f902b0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 0000000149f903d0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000149f90330 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000149f90410 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000149f90240 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 0000000149f901e0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000149f90250 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000149f90490 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 0000000149f904a0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000149f90300 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000149f90360 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 0000000149f902a0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 0000000149f902c0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000149f90380 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000149f90340 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000149f90440 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000149f90260 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000149f90270 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000149f90400 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 0000000149f901f0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000149f90210 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000149f90200 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000149f90420 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000149f90430 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000149f90220 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000149f90280 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\system32\services.exe[608] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\system32\winlogon.exe[644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Program Files (x86)\Fingerprint Sensor\AtService.exe[876] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\System32\svchost.exe[244] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\system32\svchost.exe[736] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\atieclxx.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text c:\Program Files (x86)\Acer Bio Protection\CompPtcVUI.exe[1420] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\system32\WLANExt.exe[1544] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\spoolsv.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\taskeng.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1888] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075de8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1888] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe[2008] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[2072] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2112] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe[2208] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2280] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[2344] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text c:\Program Files (x86)\Acer Bio Protection\BASVC.exe[2388] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Keyboard Driver\KMWDSrv.exe[2424] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2448] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[2504] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[2504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ee1465 2 bytes [EE, 74] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[2504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ee14bb 2 bytes [EE, 74] .text ... * 2 .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2548] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ee1465 2 bytes [EE, 74] .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ee14bb 2 bytes [EE, 74] .text ... * 2 .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2572] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000100060460 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000100060450 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000100060370 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000100060470 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000100060320 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000001000603b0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000100060390 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000100060310 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000001000603c0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000100060230 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000100060480 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000001000603a0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000100060350 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000100060290 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000001000603d0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000100060330 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000100060410 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000100060240 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000001000601e0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000100060250 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000100060490 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000001000604a0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000100060300 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000100060360 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000001000602a0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000001000602c0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000100060380 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000100060340 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000100060440 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000100060260 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000100060270 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000100060400 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000001000601f0 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000100060210 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000100060200 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000100060420 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000100060430 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000100060220 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000100060280 .text C:\Windows\system32\taskhost.exe[2192] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\system32\Dwm.exe[2680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\Explorer.EXE[1948] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[716] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[716] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ee1465 2 bytes [EE, 74] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[716] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ee14bb 2 bytes [EE, 74] .text ... * 2 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\SYSTEM32\WISPTIS.EXE[2460] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1616] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe[2736] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe[3396] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3724] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[3896] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3904] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3992] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\WindowsMobile\wmdc.exe[1524] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe[2324] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE[1496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1504] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\system32\SearchIndexer.exe[2704] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[4708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe[4900] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[4968] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Acer Bio Protection\PdtWzd.exe[2224] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Acer Bio Protection\PdtWzd.exe[2224] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000074ee1465 2 bytes [EE, 74] .text C:\Program Files (x86)\Acer Bio Protection\PdtWzd.exe[2224] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000074ee14bb 2 bytes [EE, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe[4720] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Keyboard Driver\StartAutorun.exe[4740] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Keyboard Driver\KMConfig.exe[4796] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[4344] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[3708] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe[3260] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4148] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075de8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4148] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\wbem\unsecapp.exe[4924] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Program Files (x86)\Acer Bio Protection\PwdBank.exe[3252] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files (x86)\Acer Bio Protection\PwdBank.exe[3252] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000074ee1465 2 bytes [EE, 74] .text C:\Program Files (x86)\Acer Bio Protection\PwdBank.exe[3252] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000074ee14bb 2 bytes [EE, 74] .text ... * 2 .text C:\Program Files (x86)\Keyboard Driver\KMProcess.exe[3716] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe[4836] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Windows\system32\wuauclt.exe[4196] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770eef8d 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077301360 5 bytes JMP 0000000077460460 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773013b0 5 bytes JMP 0000000077460450 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077301510 5 bytes JMP 0000000077460370 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077301560 5 bytes JMP 0000000077460470 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077301570 5 bytes JMP 00000000774603e0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077301620 5 bytes JMP 0000000077460320 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077301650 5 bytes JMP 00000000774603b0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077301670 5 bytes JMP 0000000077460390 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773016b0 5 bytes JMP 00000000774602e0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077301730 5 bytes JMP 00000000774602d0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077301750 5 bytes JMP 0000000077460310 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077301790 5 bytes JMP 00000000774603c0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773017e0 5 bytes JMP 00000000774603f0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077301940 5 bytes JMP 0000000077460230 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077301b00 5 bytes JMP 0000000077460480 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077301b30 5 bytes JMP 00000000774603a0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077301c10 5 bytes JMP 00000000774602f0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077301c20 5 bytes JMP 0000000077460350 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077301c80 5 bytes JMP 0000000077460290 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077301d10 5 bytes JMP 00000000774602b0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077301d30 5 bytes JMP 00000000774603d0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077301d40 5 bytes JMP 0000000077460330 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077301db0 5 bytes JMP 0000000077460410 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077301de0 5 bytes JMP 0000000077460240 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773020a0 5 bytes JMP 00000000774601e0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077302160 5 bytes JMP 0000000077460250 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077302190 5 bytes JMP 0000000077460490 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773021a0 5 bytes JMP 00000000774604a0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773021d0 5 bytes JMP 0000000077460300 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773021e0 5 bytes JMP 0000000077460360 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077302240 5 bytes JMP 00000000774602a0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077302290 5 bytes JMP 00000000774602c0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773022c0 5 bytes JMP 0000000077460380 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773022d0 5 bytes JMP 0000000077460340 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773025c0 5 bytes JMP 0000000077460440 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773027c0 5 bytes JMP 0000000077460260 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773027d0 5 bytes JMP 0000000077460270 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773027e0 5 bytes JMP 0000000077460400 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773029a0 5 bytes JMP 00000000774601f0 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773029b0 5 bytes JMP 0000000077460210 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077302a20 5 bytes JMP 0000000077460200 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077302a80 5 bytes JMP 0000000077460420 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077302a90 5 bytes JMP 0000000077460430 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077302aa0 5 bytes JMP 0000000077460220 .text C:\Windows\system32\AUDIODG.EXE[4896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077302b80 5 bytes JMP 0000000077460280 .text C:\Users\Mirek\AppData\Local\Temp\Temp1_gm.zip\m57g1hli.exe[4136] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e0a2fd 1 byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1948] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!FreeLibraryAndExitThread] [10002370] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[1948] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [100034e0] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[1948] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryA] [100011e0] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll ---- EOF - GMER 2.1 ----