GMER 2.1.19324 - http://www.gmer.net Rootkit scan 2014-01-21 18:28:38 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS547550A9E384 rev.JE3OA60B 465,76GB Running: gmer.exe; Driver: C:\Users\UKASZ~1\AppData\Local\Temp\pgddqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 000000014a5a0440 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 000000014a5a0430 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 000000014a5a0450 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 000000014a5a03b0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 000000014a5a0320 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 000000014a5a0380 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 000000014a5a02e0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 000000014a5a0410 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 000000014a5a02d0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 000000014a5a0310 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 000000014a5a0390 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 000000014a5a03c0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 000000014a5a0230 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 000000014a5a0460 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 000000014a5a0370 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 000000014a5a02f0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 000000014a5a0350 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 000000014a5a0290 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 000000014a5a02b0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 000000014a5a03a0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 000000014a5a0330 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 000000014a5a03e0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 000000014a5a0240 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 000000014a5a01e0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 000000014a5a0250 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 000000014a5a0470 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 000000014a5a0480 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 000000014a5a0300 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 000000014a5a0360 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 000000014a5a02a0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 000000014a5a02c0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 000000014a5a0340 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 000000014a5a0420 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 000000014a5a0260 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 000000014a5a0270 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 000000014a5a03d0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 000000014a5a01f0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 000000014a5a0210 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 000000014a5a0200 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 000000014a5a03f0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 000000014a5a0400 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 000000014a5a0220 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 000000014a5a0280 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000000774403b0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 000000014a5a0440 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 000000014a5a0430 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 000000014a5a0450 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 000000014a5a03b0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 000000014a5a0320 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 000000014a5a0380 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 000000014a5a02e0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 000000014a5a0410 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 000000014a5a02d0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 000000014a5a0310 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 000000014a5a0390 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 000000014a5a03c0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 000000014a5a0230 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 000000014a5a0460 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 000000014a5a0370 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 000000014a5a02f0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 000000014a5a0350 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 000000014a5a0290 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 000000014a5a02b0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 000000014a5a03a0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 000000014a5a0330 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 000000014a5a03e0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 000000014a5a0240 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 000000014a5a01e0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 000000014a5a0250 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 000000014a5a0470 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 000000014a5a0480 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 000000014a5a0300 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 000000014a5a0360 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 000000014a5a02a0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 000000014a5a02c0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 000000014a5a0340 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 000000014a5a0420 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 000000014a5a0260 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 000000014a5a0270 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 000000014a5a03d0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 000000014a5a01f0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 000000014a5a0210 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 000000014a5a0200 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 000000014a5a03f0 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 000000014a5a0400 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 000000014a5a0220 .text C:\Windows\system32\csrss.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 000000014a5a0280 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000000774403b0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\system32\services.exe[540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000000774403b0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000000774403b0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\system32\winlogon.exe[616] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000000774403b0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\system32\svchost.exe[700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000000774403b0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\system32\atiesrxx.exe[840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000000774403b0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\System32\svchost.exe[928] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000000774403b0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\System32\svchost.exe[972] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[108] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000000774403b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000000774403b0 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\system32\atieclxx.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000000774403b0 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\System32\spoolsv.exe[1396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000000774403b0 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\system32\svchost.exe[1424] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1532] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764aa2ba 1 byte [62] .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000000774403b0 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\system32\taskhost.exe[1688] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000100070440 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000100070450 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000100070380 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000100070410 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000100070390 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000100070460 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000100070370 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000100070470 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000100070400 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\Dwm.exe[1752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000100070440 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000100070430 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000100070450 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000001000703b0 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000100070320 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000100070380 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000100070410 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000001000702d0 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000100070310 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000100070390 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000001000703c0 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000100070230 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000100070460 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000100070370 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000100070350 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000100070290 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000001000703a0 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000100070330 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000001000703e0 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000100070240 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000100070250 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000100070470 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000100070480 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000100070300 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000100070360 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000001000702a0 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000001000702c0 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000100070340 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000100070420 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000100070260 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000100070270 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000001000703d0 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000100070210 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000100070200 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000001000703f0 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000100070400 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\Explorer.EXE[1864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[1864] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000100070440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000100070430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000100070450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000001000703b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000100070320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000100070380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000001000702e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000100070410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000001000702d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000100070310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000100070390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000001000703c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000100070230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000100070460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000100070370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000001000702f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000100070350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000100070290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000001000702b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000001000703a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000100070330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000001000703e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000100070240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000001000701e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000100070250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000100070470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000100070480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000100070300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000100070360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000001000702a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000001000702c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000100070340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000100070420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000100070260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000100070270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000001000703d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000001000701f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000100070210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000100070200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000001000703f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000100070400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000100070220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000100070280 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1916] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007748fac0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007748fb58 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcb0 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077490038 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774ac4dd 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774b1287 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764aa2ba 1 byte [62] .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076975181 5 bytes JMP 0000000100231014 .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076975254 5 bytes JMP 0000000100230804 .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769753d5 5 bytes JMP 0000000100230a08 .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769754c2 5 bytes JMP 0000000100230c0c .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769755e2 5 bytes JMP 0000000100230e10 .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007697567c 5 bytes JMP 00000001002301f8 .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007697589f 5 bytes JMP 00000001002303fc .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076975a22 5 bytes JMP 0000000100230600 .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007626f0e6 5 bytes JMP 00000001002401f8 .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076273907 5 bytes JMP 00000001002403fc .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076278364 5 bytes JMP 0000000100240600 .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000762806b3 5 bytes JMP 0000000100240804 .text C:\Windows\SysWOW64\PSIService.exe[1176] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076290efc 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007748fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007748fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077490038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774ac4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774b1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764aa2ba 1 byte [62] .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007626f0e6 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076273907 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076278364 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000762806b3 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076290efc 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076975181 5 bytes JMP 0000000100151014 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076975254 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769753d5 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769754c2 5 bytes JMP 0000000100150c0c .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769755e2 5 bytes JMP 0000000100150e10 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007697567c 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007697589f 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2244] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076975a22 5 bytes JMP 0000000100150600 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007748fac0 5 bytes JMP 0000000100030600 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007748fb58 5 bytes JMP 0000000100030804 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcb0 5 bytes JMP 0000000100030c0c .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077490038 5 bytes JMP 0000000100030a08 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774ac4dd 5 bytes JMP 00000001000301f8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774b1287 5 bytes JMP 00000001000303fc .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764aa2ba 1 byte [62] .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076975181 5 bytes JMP 0000000100171014 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076975254 5 bytes JMP 0000000100170804 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769753d5 5 bytes JMP 0000000100170a08 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769754c2 5 bytes JMP 0000000100170c0c .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769755e2 5 bytes JMP 0000000100170e10 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007697567c 5 bytes JMP 00000001001701f8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007697589f 5 bytes JMP 00000001001703fc .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076975a22 5 bytes JMP 0000000100170600 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007626f0e6 5 bytes JMP 00000001001801f8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076273907 5 bytes JMP 00000001001803fc .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076278364 5 bytes JMP 0000000100180600 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000762806b3 5 bytes JMP 0000000100180804 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2280] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076290efc 5 bytes JMP 0000000100180a08 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772b3b10 5 bytes JMP 000000010032075c .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772b7ac0 5 bytes JMP 00000001003203a4 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1430 5 bytes JMP 0000000100320b14 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772e1490 5 bytes JMP 0000000100320ecc .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 000000010032163c .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e17b0 5 bytes JMP 0000000100321284 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfa6e00 5 bytes JMP 000007ff7dfc1dac .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfa6f2c 5 bytes JMP 000007ff7dfc0ecc .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfa7220 5 bytes JMP 000007ff7dfc1284 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfa739c 5 bytes JMP 000007ff7dfc163c .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfa7538 5 bytes JMP 000007ff7dfc19f4 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfa75e8 5 bytes JMP 000007ff7dfc03a4 .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfa790c 5 bytes JMP 000007ff7dfc075c .text C:\Windows\system32\svchost.exe[2348] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfa7ab4 5 bytes JMP 000007ff7dfc0b14 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfa6e00 5 bytes JMP 000007ff7dfc1dac .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfa6f2c 5 bytes JMP 000007ff7dfc0ecc .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfa7220 5 bytes JMP 000007ff7dfc1284 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfa739c 5 bytes JMP 000007ff7dfc163c .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfa7538 5 bytes JMP 000007ff7dfc19f4 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfa75e8 5 bytes JMP 000007ff7dfc03a4 .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfa790c 5 bytes JMP 000007ff7dfc075c .text C:\Windows\system32\svchost.exe[2380] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfa7ab4 5 bytes JMP 000007ff7dfc0b14 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772b3b10 5 bytes JMP 000000010016075c .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772b7ac0 5 bytes JMP 00000001001603a4 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1430 5 bytes JMP 0000000100160b14 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772e1490 5 bytes JMP 0000000100160ecc .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 000000010016163c .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e17b0 5 bytes JMP 0000000100161284 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfa6e00 5 bytes JMP 000007ff7dfc1dac .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfa6f2c 5 bytes JMP 000007ff7dfc0ecc .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfa7220 5 bytes JMP 000007ff7dfc1284 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfa739c 5 bytes JMP 000007ff7dfc163c .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfa7538 5 bytes JMP 000007ff7dfc19f4 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfa75e8 5 bytes JMP 000007ff7dfc03a4 .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfa790c 5 bytes JMP 000007ff7dfc075c .text C:\Windows\System32\svchost.exe[2412] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfa7ab4 5 bytes JMP 000007ff7dfc0b14 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772b3b10 5 bytes JMP 000000010082075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772b7ac0 5 bytes JMP 00000001008203a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1430 5 bytes JMP 0000000100820b14 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772e1490 5 bytes JMP 0000000100820ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 000000010082163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e17b0 5 bytes JMP 0000000100821284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfa6e00 5 bytes JMP 000007ff7dfc1dac .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfa6f2c 5 bytes JMP 000007ff7dfc0ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfa7220 5 bytes JMP 000007ff7dfc1284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfa739c 5 bytes JMP 000007ff7dfc163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfa7538 5 bytes JMP 000007ff7dfc19f4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfa75e8 5 bytes JMP 000007ff7dfc03a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfa790c 5 bytes JMP 000007ff7dfc075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2548] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfa7ab4 5 bytes JMP 000007ff7dfc0b14 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007748fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007748fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077490038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774ac4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774b1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764aa2ba 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076711465 2 bytes [71, 76] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767114bb 2 bytes [71, 76] .text ... * 2 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007626f0e6 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076273907 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076278364 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000762806b3 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076290efc 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076975181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076975254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769753d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769754c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769755e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007697567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007697589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe[2592] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076975a22 5 bytes JMP 0000000100250600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772b3b10 5 bytes JMP 000000010038075c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772b7ac0 5 bytes JMP 00000001003803a4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1430 5 bytes JMP 0000000100380b14 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772e1490 5 bytes JMP 0000000100380ecc .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 000000010038163c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e17b0 5 bytes JMP 0000000100381284 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfa6e00 5 bytes JMP 000007ff7dfc1dac .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfa6f2c 5 bytes JMP 000007ff7dfc0ecc .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfa7220 5 bytes JMP 000007ff7dfc1284 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfa739c 5 bytes JMP 000007ff7dfc163c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfa7538 5 bytes JMP 000007ff7dfc19f4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfa75e8 5 bytes JMP 000007ff7dfc03a4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfa790c 5 bytes JMP 000007ff7dfc075c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2628] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfa7ab4 5 bytes JMP 000007ff7dfc0b14 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007748fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007748fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077490038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774ac4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774b1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764aa2ba 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007626f0e6 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076273907 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076278364 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000762806b3 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076290efc 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076975181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076975254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769753d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769754c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769755e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007697567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007697589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2640] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076975a22 5 bytes JMP 0000000100250600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772b3b10 5 bytes JMP 000000010038075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772b7ac0 5 bytes JMP 00000001003803a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000100060440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000100060430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1430 5 bytes JMP 0000000100380b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772e1490 5 bytes JMP 0000000100380ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000100060450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 000000010038163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000100060320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000100060380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000001000602e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000100060410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000001000602d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000100060310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000100060390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e17b0 5 bytes JMP 0000000100381284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000001000603c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000100060230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000100060460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000100060370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000001000602f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000100060350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000100060290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000001000602b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000001000603a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000100060330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000001000603e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000100060240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000001000601e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000100060250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000100060470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000100060480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000100060300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000100060360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000001000602a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000001000602c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000100060340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000100060420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000100060260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000100060270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000001000603d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000001000601f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000100060210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000100060200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000001000603f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000100060400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000100060220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000100060280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfa6e00 5 bytes JMP 000007ff7dfc1dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfa6f2c 5 bytes JMP 000007ff7dfc0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfa7220 5 bytes JMP 000007ff7dfc1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfa739c 5 bytes JMP 000007ff7dfc163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfa7538 5 bytes JMP 000007ff7dfc19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfa75e8 5 bytes JMP 000007ff7dfc03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfa790c 5 bytes JMP 000007ff7dfc075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfa7ab4 5 bytes JMP 000007ff7dfc0b14 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772b3b10 5 bytes JMP 000000010021075c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772b7ac0 5 bytes JMP 00000001002103a4 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1430 5 bytes JMP 0000000100210b14 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772e1490 5 bytes JMP 0000000100210ecc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 000000010021163c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e17b0 5 bytes JMP 0000000100211284 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfa6e00 5 bytes JMP 000007ff7dfc1dac .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfa6f2c 5 bytes JMP 000007ff7dfc0ecc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfa7220 5 bytes JMP 000007ff7dfc1284 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfa739c 5 bytes JMP 000007ff7dfc163c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfa7538 5 bytes JMP 000007ff7dfc19f4 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfa75e8 5 bytes JMP 000007ff7dfc03a4 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfa790c 5 bytes JMP 000007ff7dfc075c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfa7ab4 5 bytes JMP 000007ff7dfc0b14 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772b3b10 5 bytes JMP 000000010033075c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772b7ac0 5 bytes JMP 00000001003303a4 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1430 5 bytes JMP 0000000100330b14 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772e1490 5 bytes JMP 0000000100330ecc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 000000010033163c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e17b0 5 bytes JMP 0000000100331284 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfa6e00 5 bytes JMP 000007ff7dfc1dac .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfa6f2c 5 bytes JMP 000007ff7dfc0ecc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfa7220 5 bytes JMP 000007ff7dfc1284 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfa739c 5 bytes JMP 000007ff7dfc163c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfa7538 5 bytes JMP 000007ff7dfc19f4 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfa75e8 5 bytes JMP 000007ff7dfc03a4 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfa790c 5 bytes JMP 000007ff7dfc075c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfa7ab4 5 bytes JMP 000007ff7dfc0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3032] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfa6e00 5 bytes JMP 000007ff7dfc1dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfa6f2c 5 bytes JMP 000007ff7dfc0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfa7220 5 bytes JMP 000007ff7dfc1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfa739c 5 bytes JMP 000007ff7dfc163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfa7538 5 bytes JMP 000007ff7dfc19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfa75e8 5 bytes JMP 000007ff7dfc03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfa790c 5 bytes JMP 000007ff7dfc075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3032] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfa7ab4 5 bytes JMP 000007ff7dfc0b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2744] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764aa2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007748fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007748fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077490038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774ac4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774b1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764aa2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076975181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076975254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769753d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769754c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769755e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007697567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007697589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076975a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007626f0e6 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076273907 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076278364 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000762806b3 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076290efc 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076711465 2 bytes [71, 76] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767114bb 2 bytes [71, 76] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772b3b10 5 bytes JMP 000000010024075c .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772b7ac0 5 bytes JMP 00000001002403a4 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1430 5 bytes JMP 0000000100240b14 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772e1490 5 bytes JMP 0000000100240ecc .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 000000010024163c .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e17b0 5 bytes JMP 0000000100241284 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfa6e00 5 bytes JMP 000007ff7dfc1dac .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfa6f2c 5 bytes JMP 000007ff7dfc0ecc .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfa7220 5 bytes JMP 000007ff7dfc1284 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfa739c 5 bytes JMP 000007ff7dfc163c .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfa7538 5 bytes JMP 000007ff7dfc19f4 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfa75e8 5 bytes JMP 000007ff7dfc03a4 .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfa790c 5 bytes JMP 000007ff7dfc075c .text C:\Windows\system32\SearchIndexer.exe[3360] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfa7ab4 5 bytes JMP 000007ff7dfc0b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772b3b10 5 bytes JMP 00000001001e075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772b7ac0 5 bytes JMP 00000001001e03a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1430 5 bytes JMP 00000001001e0b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772e1490 5 bytes JMP 00000001001e0ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 00000001001e163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e17b0 5 bytes JMP 00000001001e1284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3700] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\WUDFHost.exe[3708] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfa6e00 5 bytes JMP 000007ff7dfc1dac .text C:\Windows\system32\WUDFHost.exe[3708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfa6f2c 5 bytes JMP 000007ff7dfc0ecc .text C:\Windows\system32\WUDFHost.exe[3708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfa7220 5 bytes JMP 000007ff7dfc1284 .text C:\Windows\system32\WUDFHost.exe[3708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfa739c 5 bytes JMP 000007ff7dfc163c .text C:\Windows\system32\WUDFHost.exe[3708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfa7538 5 bytes JMP 000007ff7dfc19f4 .text C:\Windows\system32\WUDFHost.exe[3708] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfa75e8 5 bytes JMP 000007ff7dfc03a4 .text C:\Windows\system32\WUDFHost.exe[3708] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfa790c 5 bytes JMP 000007ff7dfc075c .text C:\Windows\system32\WUDFHost.exe[3708] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfa7ab4 5 bytes JMP 000007ff7dfc0b14 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000772b3b10 5 bytes JMP 000000010034075c .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772b7ac0 5 bytes JMP 00000001003403a4 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772e1360 5 bytes JMP 0000000077440440 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000772e13b0 5 bytes JMP 0000000077440430 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1430 5 bytes JMP 0000000100340b14 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772e1490 5 bytes JMP 0000000100340ecc .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772e1560 5 bytes JMP 0000000077440450 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772e1570 5 bytes JMP 000000010034163c .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000772e1620 5 bytes JMP 0000000077440320 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772e1650 5 bytes JMP 0000000077440380 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772e16b0 5 bytes JMP 00000000774402e0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000772e1700 5 bytes JMP 0000000077440410 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000772e1730 5 bytes JMP 00000000774402d0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772e1750 5 bytes JMP 0000000077440310 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772e1790 5 bytes JMP 0000000077440390 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e17b0 5 bytes JMP 0000000100341284 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772e17e0 5 bytes JMP 00000000774403c0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772e1940 5 bytes JMP 0000000077440230 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772e1b00 5 bytes JMP 0000000077440460 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000772e1b30 5 bytes JMP 0000000077440370 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000772e1c10 5 bytes JMP 00000000774402f0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000772e1c20 5 bytes JMP 0000000077440350 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000772e1c80 5 bytes JMP 0000000077440290 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000772e1d10 5 bytes JMP 00000000774402b0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000772e1d30 5 bytes JMP 00000000774403a0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000772e1d40 5 bytes JMP 0000000077440330 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772e1db0 5 bytes JMP 00000000774403e0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772e1de0 5 bytes JMP 0000000077440240 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772e20a0 5 bytes JMP 00000000774401e0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772e2160 5 bytes JMP 0000000077440250 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772e2190 5 bytes JMP 0000000077440470 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000772e21a0 5 bytes JMP 0000000077440480 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000772e21d0 5 bytes JMP 0000000077440300 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000772e21e0 5 bytes JMP 0000000077440360 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772e2240 5 bytes JMP 00000000774402a0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772e2290 5 bytes JMP 00000000774402c0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000772e22d0 5 bytes JMP 0000000077440340 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772e25c0 5 bytes JMP 0000000077440420 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772e27c0 5 bytes JMP 0000000077440260 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772e27d0 5 bytes JMP 0000000077440270 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772e27e0 5 bytes JMP 00000000774403d0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772e29a0 5 bytes JMP 00000000774401f0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772e29b0 5 bytes JMP 0000000077440210 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000772e2a20 5 bytes JMP 0000000077440200 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000772e2a80 5 bytes JMP 00000000774403f0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000772e2a90 5 bytes JMP 0000000077440400 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772e2aa0 5 bytes JMP 0000000077440220 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000772e2b80 5 bytes JMP 0000000077440280 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdfa6e00 5 bytes JMP 000007ff7dfc1dac .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdfa6f2c 5 bytes JMP 000007ff7dfc0ecc .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdfa7220 5 bytes JMP 000007ff7dfc1284 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdfa739c 5 bytes JMP 000007ff7dfc163c .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdfa7538 5 bytes JMP 000007ff7dfc19f4 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdfa75e8 5 bytes JMP 000007ff7dfc03a4 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdfa790c 5 bytes JMP 000007ff7dfc075c .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdfa7ab4 5 bytes JMP 000007ff7dfc0b14 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007748fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007748fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077490038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774ac4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774b1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764aa2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076975181 5 bytes JMP 00000001001e1014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076975254 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769753d5 5 bytes JMP 00000001001e0a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769754c2 5 bytes JMP 00000001001e0c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769755e2 5 bytes JMP 00000001001e0e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007697567c 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007697589f 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076975a22 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007626f0e6 5 bytes JMP 00000001001f01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076273907 5 bytes JMP 00000001001f03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076278364 5 bytes JMP 00000001001f0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000762806b3 5 bytes JMP 00000001001f0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076290efc 5 bytes JMP 00000001001f0a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076711465 2 bytes [71, 76] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767114bb 2 bytes [71, 76] .text ... * 2 .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007748fac0 5 bytes JMP 0000000100030600 .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007748fb58 5 bytes JMP 0000000100030804 .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007748fcb0 5 bytes JMP 0000000100030c0c .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077490038 5 bytes JMP 0000000100030a08 .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774ac4dd 5 bytes JMP 00000001000301f8 .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000774b1287 5 bytes JMP 00000001000303fc .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764aa2ba 1 byte [62] .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076975181 5 bytes JMP 0000000100241014 .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076975254 5 bytes JMP 0000000100240804 .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769753d5 5 bytes JMP 0000000100240a08 .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769754c2 5 bytes JMP 0000000100240c0c .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769755e2 5 bytes JMP 0000000100240e10 .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007697567c 5 bytes JMP 00000001002401f8 .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007697589f 5 bytes JMP 00000001002403fc .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076975a22 5 bytes JMP 0000000100240600 .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007626f0e6 5 bytes JMP 00000001002501f8 .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076273907 5 bytes JMP 00000001002503fc .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076278364 5 bytes JMP 0000000100250600 .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000762806b3 5 bytes JMP 0000000100250804 .text C:\Users\UKASZ~1\AppData\Local\Temp\Rar$EXa0.997\gmer.exe[2704] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076290efc 5 bytes JMP 0000000100250a08 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [2412:2792] 000007feefab9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{8E49B95B-07FD-4FD3-98FB-43265D92B1B9}\Connection@Name isatap.{F6B16BB0-BC44-41E7-ADD6-A023DF6F2534} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{1E118345-6701-4625-B76A-720BDD50A5AF}?\Device\{2ED26459-3313-47FC-B153-6BA1BF1AC8F8}?\Device\{84357034-DE8C-40FC-9618-E303D85EED55}?\Device\{8E49B95B-07FD-4FD3-98FB-43265D92B1B9}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{1E118345-6701-4625-B76A-720BDD50A5AF}"?"{2ED26459-3313-47FC-B153-6BA1BF1AC8F8}"?"{84357034-DE8C-40FC-9618-E303D85EED55}"?"{8E49B95B-07FD-4FD3-98FB-43265D92B1B9}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{1E118345-6701-4625-B76A-720BDD50A5AF}?\Device\TCPIP6TUNNEL_{2ED26459-3313-47FC-B153-6BA1BF1AC8F8}?\Device\TCPIP6TUNNEL_{84357034-DE8C-40FC-9618-E303D85EED55}?\Device\TCPIP6TUNNEL_{8E49B95B-07FD-4FD3-98FB-43265D92B1B9}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\446d570be99a Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\446d570be99a@bc851f31edca 0x42 0xA6 0xBA 0xA6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\446d570be99a@6ca78050acc2 0x21 0xA1 0xD1 0x5A ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{8E49B95B-07FD-4FD3-98FB-43265D92B1B9}@InterfaceName isatap.{F6B16BB0-BC44-41E7-ADD6-A023DF6F2534} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{8E49B95B-07FD-4FD3-98FB-43265D92B1B9}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 10399 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\446d570be99a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\446d570be99a@bc851f31edca 0x42 0xA6 0xBA 0xA6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\446d570be99a@6ca78050acc2 0x21 0xA1 0xD1 0x5A ... ---- EOF - GMER 2.1 ----