GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-13 15:45:03 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006a OCZ-VERT rev.2.22 111,79GB Running: p7mv7ci5.exe; Driver: C:\Users\MICHA~1\AppData\Local\Temp\afrdrpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 000000014a230460 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 000000014a230450 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 000000014a230370 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 000000014a230470 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 000000014a2303e0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 000000014a230320 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 000000014a2303b0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 000000014a230390 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 000000014a2302e0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 000000014a2302d0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 000000014a230310 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 000000014a2303c0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 000000014a2303f0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 000000014a230230 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 000000014a230480 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 000000014a2303a0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 000000014a2302f0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 000000014a230350 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 000000014a230290 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 000000014a2302b0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 000000014a2303d0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 000000014a230330 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 000000014a230410 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 000000014a230240 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 000000014a2301e0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 000000014a230250 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 000000014a230490 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 000000014a2304a0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 000000014a230300 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 000000014a230360 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 000000014a2302a0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 000000014a2302c0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 000000014a230380 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 000000014a230340 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 000000014a230440 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 000000014a230260 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 000000014a230270 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 000000014a230400 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 000000014a2301f0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 000000014a230210 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 000000014a230200 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 000000014a230420 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 000000014a230430 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 000000014a230220 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 000000014a230280 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\wininit.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\wininit.exe[644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 000000014a230460 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 000000014a230450 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 000000014a230370 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 000000014a230470 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 000000014a2303e0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 000000014a230320 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 000000014a2303b0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 000000014a230390 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 000000014a2302e0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 000000014a2302d0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 000000014a230310 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 000000014a2303c0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 000000014a2303f0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 000000014a230230 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 000000014a230480 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 000000014a2303a0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 000000014a2302f0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 000000014a230350 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 000000014a230290 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 000000014a2302b0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 000000014a2303d0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 000000014a230330 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 000000014a230410 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 000000014a230240 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 000000014a2301e0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 000000014a230250 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 000000014a230490 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 000000014a2304a0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 000000014a230300 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 000000014a230360 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 000000014a2302a0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 000000014a2302c0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 000000014a230380 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 000000014a230340 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 000000014a230440 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 000000014a230260 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 000000014a230270 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 000000014a230400 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 000000014a2301f0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 000000014a230210 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 000000014a230200 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 000000014a230420 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 000000014a230430 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 000000014a230220 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 000000014a230280 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\services.exe[708] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\lsm.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\winlogon.exe[920] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\atiesrxx.exe[472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\System32\svchost.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\System32\svchost.exe[736] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 3 bytes JMP 0000000100040460 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort + 4 00000000774b1364 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 3 bytes JMP 0000000100040450 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 4 00000000774b13b4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 3 bytes JMP 0000000100040370 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 4 00000000774b1514 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 3 bytes JMP 0000000100040470 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 4 00000000774b1564 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 3 bytes JMP 00000001000403e0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 4 00000000774b1574 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 3 bytes JMP 0000000100040320 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 4 00000000774b1624 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 3 bytes JMP 00000001000403b0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 4 00000000774b1654 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 3 bytes JMP 0000000100040390 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 4 00000000774b1674 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 3 bytes JMP 00000001000402e0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 4 00000000774b16b4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 3 bytes JMP 00000001000402d0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 4 00000000774b1734 1 byte {JMP 0xffffffffffffffba} .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 3 bytes JMP 0000000100040310 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 4 00000000774b1754 1 byte {JMP 0xffffffffffffffba} .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 3 bytes JMP 00000001000403c0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 4 00000000774b1794 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 3 bytes JMP 00000001000403f0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 4 00000000774b17e4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 3 bytes JMP 0000000100040230 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 4 00000000774b1944 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 3 bytes JMP 0000000100040480 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 4 00000000774b1b04 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 3 bytes JMP 00000001000403a0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject + 4 00000000774b1b34 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 3 bytes JMP 00000001000402f0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair + 4 00000000774b1c14 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 3 bytes JMP 0000000100040350 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 4 00000000774b1c24 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 3 bytes JMP 0000000100040290 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 4 00000000774b1c84 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 3 bytes JMP 00000001000402b0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 4 00000000774b1d14 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 3 bytes JMP 00000001000403d0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 4 00000000774b1d34 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 3 bytes JMP 0000000100040330 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 4 00000000774b1d44 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 3 bytes JMP 0000000100040410 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 4 00000000774b1db4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 3 bytes JMP 0000000100040240 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry + 4 00000000774b1de4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 3 bytes JMP 00000001000401e0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 4 00000000774b20a4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 3 bytes JMP 0000000100040250 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 4 00000000774b2164 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 3 bytes JMP 0000000100040490 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey + 4 00000000774b2194 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 3 bytes JMP 00000001000404a0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys + 4 00000000774b21a4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 3 bytes JMP 0000000100040300 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair + 4 00000000774b21d4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 3 bytes JMP 0000000100040360 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 4 00000000774b21e4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 3 bytes JMP 00000001000402a0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 4 00000000774b2244 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 3 bytes JMP 00000001000402c0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 4 00000000774b2294 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 3 bytes JMP 0000000100040380 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 4 00000000774b22c4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 3 bytes JMP 0000000100040340 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer + 4 00000000774b22d4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 3 bytes JMP 0000000100040440 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 4 00000000774b25c4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 3 bytes JMP 0000000100040260 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 4 00000000774b27c4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 3 bytes JMP 0000000100040270 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 4 00000000774b27d4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 3 bytes JMP 0000000100040400 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 4 00000000774b27e4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 3 bytes JMP 00000001000401f0 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 4 00000000774b29a4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 3 bytes JMP 0000000100040210 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 4 00000000774b29b4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 3 bytes JMP 0000000100040200 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem + 4 00000000774b2a24 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 3 bytes JMP 0000000100040420 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 4 00000000774b2a84 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 3 bytes JMP 0000000100040430 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 4 00000000774b2a94 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 3 bytes JMP 0000000100040220 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 4 00000000774b2aa4 1 byte [88] .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 3 bytes JMP 0000000100040280 .text C:\Windows\system32\AUDIODG.EXE[1172] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 4 00000000774b2b84 1 byte [88] .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\atieclxx.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\System32\spoolsv.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[728] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Windows\SysWOW64\vmnat.exe[2120] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Windows\SysWOW64\vmnat.exe[2120] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 4 0000000071aa13b0 2 bytes JMP 75165660 C:\Windows\syswow64\SHELL32.dll .text C:\Windows\SysWOW64\vmnat.exe[2120] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 20 0000000071aa13c0 2 bytes CALL 766b9cee C:\Windows\syswow64\msvcrt.dll .text ... * 20 .text C:\Windows\SysWOW64\vmnat.exe[2120] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 22 0000000071aa153e 2 bytes CALL 751f777c C:\Windows\syswow64\SHELL32.dll .text C:\Windows\SysWOW64\vmnat.exe[2120] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 43 0000000071aa1553 2 bytes CALL 760a10ff C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000750d1401 2 bytes JMP 760cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000750d1419 2 bytes JMP 760cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000750d1431 2 bytes JMP 76148ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000750d144a 2 bytes CALL 760a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000750d14dd 2 bytes JMP 761487a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000750d14f5 2 bytes JMP 76148978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000750d150d 2 bytes JMP 76148698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000750d1525 2 bytes JMP 76148a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000750d153d 2 bytes JMP 760bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000750d1555 2 bytes JMP 760c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000750d156d 2 bytes JMP 76148f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000750d1585 2 bytes JMP 76148ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000750d159d 2 bytes JMP 7614865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000750d15b5 2 bytes JMP 760bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000750d15cd 2 bytes JMP 760cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000750d16b2 2 bytes JMP 76148e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000750d16bd 2 bytes JMP 761485f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\vmnetdhcp.exe[2404] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2440] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\wbem\wmiprvse.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\taskhost.exe[2516] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\Dwm.exe[2596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\Explorer.EXE[2936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\Explorer.EXE[2936] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe[3176] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExW + 17 00000000750d1401 2 bytes JMP 760cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!EnumProcessModules + 17 00000000750d1419 2 bytes JMP 760cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 17 00000000750d1431 2 bytes JMP 76148ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 42 00000000750d144a 2 bytes CALL 760a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!EnumDeviceDrivers + 17 00000000750d14dd 2 bytes JMP 761487a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameA + 17 00000000750d14f5 2 bytes JMP 76148978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!QueryWorkingSetEx + 17 00000000750d150d 2 bytes JMP 76148698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameW + 17 00000000750d1525 2 bytes JMP 76148a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameW + 17 00000000750d153d 2 bytes JMP 760bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!EnumProcesses + 17 00000000750d1555 2 bytes JMP 760c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!GetProcessMemoryInfo + 17 00000000750d156d 2 bytes JMP 76148f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!GetPerformanceInfo + 17 00000000750d1585 2 bytes JMP 76148ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!QueryWorkingSet + 17 00000000750d159d 2 bytes JMP 7614865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameA + 17 00000000750d15b5 2 bytes JMP 760bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExA + 17 00000000750d15cd 2 bytes JMP 760cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 20 00000000750d16b2 2 bytes JMP 76148e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3208] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 31 00000000750d16bd 2 bytes JMP 761485f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2684] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3364] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[3264] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[1972] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000760a8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[1972] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3652] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000750d1401 2 bytes JMP 760cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000750d1419 2 bytes JMP 760cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000750d1431 2 bytes JMP 76148ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000750d144a 2 bytes CALL 760a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000750d14dd 2 bytes JMP 761487a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000750d14f5 2 bytes JMP 76148978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000750d150d 2 bytes JMP 76148698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000750d1525 2 bytes JMP 76148a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000750d153d 2 bytes JMP 760bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000750d1555 2 bytes JMP 760c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000750d156d 2 bytes JMP 76148f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000750d1585 2 bytes JMP 76148ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000750d159d 2 bytes JMP 7614865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000750d15b5 2 bytes JMP 760bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000750d15cd 2 bytes JMP 760cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000750d16b2 2 bytes JMP 76148e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2732] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000750d16bd 2 bytes JMP 761485f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4784] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\System32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text F:\Pobierane\FRST64.exe[5564] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[5516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\System32\svchost.exe[5404] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\servicing\TrustedInstaller.exe[1284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\notepad.exe[1448] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\system32\notepad.exe[5412] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\notepad.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\notepad.exe[2420] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Windows\notepad.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Windows\notepad.exe[3404] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Windows\system32\taskmgr.exe[4984] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000750d1401 2 bytes JMP 760cb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000750d1419 2 bytes JMP 760cb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000750d1431 2 bytes JMP 76148ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000750d144a 2 bytes CALL 760a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000750d14dd 2 bytes JMP 761487a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000750d14f5 2 bytes JMP 76148978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000750d150d 2 bytes JMP 76148698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000750d1525 2 bytes JMP 76148a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000750d153d 2 bytes JMP 760bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000750d1555 2 bytes JMP 760c68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000750d156d 2 bytes JMP 76148f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000750d1585 2 bytes JMP 76148ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000750d159d 2 bytes JMP 7614865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000750d15b5 2 bytes JMP 760bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000750d15cd 2 bytes JMP 760cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000750d16b2 2 bytes JMP 76148e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Micha³\Desktop\procexp.exe[3572] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000750d16bd 2 bytes JMP 761485f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774b1360 5 bytes JMP 0000000077610460 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774b13b0 5 bytes JMP 0000000077610450 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000774b1510 5 bytes JMP 0000000077610370 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774b1560 5 bytes JMP 0000000077610470 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774b1570 5 bytes JMP 00000000776103e0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000774b1620 5 bytes JMP 0000000077610320 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774b1650 5 bytes JMP 00000000776103b0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774b1670 5 bytes JMP 0000000077610390 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774b16b0 5 bytes JMP 00000000776102e0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000774b1730 5 bytes JMP 00000000776102d0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774b1750 5 bytes JMP 0000000077610310 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774b1790 5 bytes JMP 00000000776103c0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774b17e0 5 bytes JMP 00000000776103f0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774b1940 5 bytes JMP 0000000077610230 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000774b1b00 5 bytes JMP 0000000077610480 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000774b1b30 5 bytes JMP 00000000776103a0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000774b1c10 5 bytes JMP 00000000776102f0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000774b1c20 5 bytes JMP 0000000077610350 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000774b1c80 5 bytes JMP 0000000077610290 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000774b1d10 5 bytes JMP 00000000776102b0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000774b1d30 5 bytes JMP 00000000776103d0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000774b1d40 5 bytes JMP 0000000077610330 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000774b1db0 5 bytes JMP 0000000077610410 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000774b1de0 5 bytes JMP 0000000077610240 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774b20a0 5 bytes JMP 00000000776101e0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774b2160 5 bytes JMP 0000000077610250 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774b2190 5 bytes JMP 0000000077610490 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774b21a0 5 bytes JMP 00000000776104a0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774b21d0 5 bytes JMP 0000000077610300 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774b21e0 5 bytes JMP 0000000077610360 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774b2240 5 bytes JMP 00000000776102a0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774b2290 5 bytes JMP 00000000776102c0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774b22c0 5 bytes JMP 0000000077610380 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774b22d0 5 bytes JMP 0000000077610340 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774b25c0 5 bytes JMP 0000000077610440 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774b27c0 5 bytes JMP 0000000077610260 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774b27d0 5 bytes JMP 0000000077610270 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774b27e0 5 bytes JMP 0000000077610400 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774b29a0 5 bytes JMP 00000000776101f0 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774b29b0 5 bytes JMP 0000000077610210 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000774b2a20 5 bytes JMP 0000000077610200 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000774b2a80 5 bytes JMP 0000000077610420 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000774b2a90 5 bytes JMP 0000000077610430 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000774b2aa0 5 bytes JMP 0000000077610220 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000774b2b80 5 bytes JMP 0000000077610280 .text C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe[2660] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729ef8d 1 byte [62] .text F:\Pobierane\p7mv7ci5.exe[3808] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4564:4916] 000007fefb052bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4564:3056] 000007fee988cf60 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4564:5460] 000007fef96b5124 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5800:776] 0000000077007587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5800:5204] 00000000685b7712 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5800:6124] 0000000077692e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5800:5812] 0000000077693e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5800:2428] 0000000077693e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5800:2700] 0000000077693e85 Thread C:\Windows\System32\svchost.exe [5404:2868] 000007fee1c09688 ---- Processes - GMER 2.1 ---- Library Ì÷…à]H (*** suspicious ***) @ C:\Users\MICHA~1\AppData\Local\Temp\procexp64.exe [2660] 000000013fdd0000 ---- EOF - GMER 2.1 ----