GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-25 23:24:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000BEVT-26A0RT0 rev.01.01A01 465,76GB Running: n3gd939c.exe; Driver: C:\Users\Icek\AppData\Local\Temp\awlcqaog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 00000001499a0460 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 00000001499a0450 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 00000001499a0370 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 00000001499a0470 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 00000001499a03e0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 00000001499a0320 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 00000001499a03b0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 00000001499a0390 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 00000001499a02e0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 00000001499a02d0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 00000001499a0310 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 00000001499a03c0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 00000001499a03f0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 00000001499a0230 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0xffffffffd1d9e890} .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 00000001499a0480 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 00000001499a03a0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 00000001499a02f0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 00000001499a0350 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 00000001499a0290 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 00000001499a02b0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 00000001499a03d0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 00000001499a0330 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0xffffffffd1d9e590} .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 00000001499a0410 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 00000001499a0240 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 00000001499a01e0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 00000001499a0250 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0xffffffffd1d9e090} .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 00000001499a0490 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 00000001499a04a0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 00000001499a0300 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 00000001499a0360 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 00000001499a02a0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 00000001499a02c0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 00000001499a0380 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 00000001499a0340 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 00000001499a0440 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 00000001499a0260 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 00000001499a0270 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 00000001499a0400 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 00000001499a01f0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 00000001499a0210 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 00000001499a0200 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 00000001499a0420 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 00000001499a0430 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 00000001499a0220 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 00000001499a0280 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\wininit.exe[484] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 00000001499a0460 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 00000001499a0450 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 00000001499a0370 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 00000001499a0470 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 00000001499a03e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 00000001499a0320 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 00000001499a03b0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 00000001499a0390 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 00000001499a02e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 00000001499a02d0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 00000001499a0310 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 00000001499a03c0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 00000001499a03f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 00000001499a0230 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0xffffffffd1d9e890} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 00000001499a0480 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 00000001499a03a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 00000001499a02f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 00000001499a0350 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 00000001499a0290 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 00000001499a02b0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 00000001499a03d0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 00000001499a0330 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0xffffffffd1d9e590} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 00000001499a0410 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 00000001499a0240 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 00000001499a01e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 00000001499a0250 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0xffffffffd1d9e090} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 00000001499a0490 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 00000001499a04a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 00000001499a0300 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 00000001499a0360 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 00000001499a02a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 00000001499a02c0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 00000001499a0380 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 00000001499a0340 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 00000001499a0440 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 00000001499a0260 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 00000001499a0270 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 00000001499a0400 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 00000001499a01f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 00000001499a0210 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 00000001499a0200 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 00000001499a0420 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 00000001499a0430 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 00000001499a0220 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 00000001499a0280 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0xffffffff8846e890} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0xffffffff8846e590} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0xffffffff8846e090} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\services.exe[540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\svchost.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\svchost.exe[676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0xffffffff8846e890} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0xffffffff8846e590} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0xffffffff8846e090} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\atiesrxx.exe[832] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\winlogon.exe[868] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\System32\svchost.exe[908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\System32\svchost.exe[948] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\AUDIODG.EXE[420] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0xffffffff8846e890} .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0xffffffff8846e590} .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0xffffffff8846e090} .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[372] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\svchost.exe[788] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000100070460 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000100070450 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000100070370 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000100070470 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 00000001000703e0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000100070320 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 00000001000703b0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000100070390 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 00000001000702e0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 00000001000702d0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000100070310 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 00000001000703c0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 00000001000703f0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000100070230 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0xffffffff8846e890} .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000100070480 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 00000001000703a0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 00000001000702f0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000100070350 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000100070290 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 00000001000702b0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 00000001000703d0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000100070330 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0xffffffff8846e590} .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000100070410 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000100070240 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 00000001000701e0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000100070250 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0xffffffff8846e090} .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000100070490 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 00000001000704a0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000100070300 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000100070360 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 00000001000702a0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 00000001000702c0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000100070380 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000100070340 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000100070440 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000100070260 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000100070270 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000100070400 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 00000001000701f0 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000100070210 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000100070200 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000100070420 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000100070430 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000100070220 .text C:\Windows\Explorer.EXE[1444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[1444] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\taskhost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1972] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767fa322 1 byte [62] .text C:\ProgramData\DatacardService\DCService.exe[1468] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767fa322 1 byte [62] .text C:\Windows\system32\svchost.exe[1500] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[1868] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767fa322 1 byte [62] .text C:\Windows\system32\svchost.exe[1388] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\taskhost.exe[2840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\SearchIndexer.exe[2484] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Program Files (x86)\AutoInstall\ZD1211B_Auto_Install_CD_Only_Gen_0ACE20FF\AutoEJCD.EXE[2016] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767fa322 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2740] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000767d87c9 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2740] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767fa322 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075da1465 2 bytes [DA, 75] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075da14bb 2 bytes [DA, 75] .text ... * 2 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000077d60460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000077d60450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000077d60370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000077d60470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 0000000077d603e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000077d60320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 0000000077d603b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000077d60390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 0000000077d602e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 0000000077d602d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000077d60310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 0000000077d603c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 0000000077d603f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000077d60230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000077d60480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 0000000077d603a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 0000000077d602f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000077d60350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000077d60290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 0000000077d602b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 0000000077d603d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000077d60330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000077d60410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000077d60240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 0000000077d601e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000077d60250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000077d60490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 0000000077d604a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000077d60300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000077d60360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 0000000077d602a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 0000000077d602c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000077d60380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000077d60340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000077d60440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000077d60260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000077d60270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000077d60400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 0000000077d601f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000077d60210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000077d60200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000077d60420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000077d60430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000077d60220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\wbem\wmiprvse.exe[3440] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779eeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c013c0 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c01410 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c01570 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c015c0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c015d0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c01680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c016b0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c016d0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c01710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c01790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c017b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c017f0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c01840 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c019a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c019a2 3 bytes {JMP 0xffffffff8846e890} .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c01b60 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c01b90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c01c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c01c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c01ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c01d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c01d90 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c01da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c01da2 3 bytes {JMP 0xffffffff8846e590} .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c01e10 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c01e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c02100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c021c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c021c2 3 bytes {JMP 0xffffffff8846e090} .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c021f0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c02200 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c02230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c02240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c022a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c022f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c02320 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c02330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c02620 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c02820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c02830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c02840 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c02a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c02a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c02a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c02ae0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c02af0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c02b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c02be0 5 bytes JMP 0000000100070280 .text C:\Users\Icek\Downloads\n3gd939c.exe[2492] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767fa322 1 byte [62] ---- Processes - GMER 2.1 ---- Process C:\ProgramData\DatacardService\DCService.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCService.exe [1468](2010-05-08 11:48:36) 0000000000400000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [1868] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2010-05-08 11:48:26) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbe04612 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbe04612@70d4f2756ec6 0xAF 0xA7 0xE7 0x3D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcbe04612 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcbe04612@70d4f2756ec6 0xAF 0xA7 0xE7 0x3D ... ---- EOF - GMER 2.1 ----