GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-02 22:55:17 Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\00000034 Samsung_SSD_840_EVO_250GB rev.EXT0BB0Q 232,89GB Running: 5bosgzfg.exe; Driver: C:\Users\Everson\AppData\Local\Temp\pwdyipow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001b5700 15 bytes [40, B5, F7, 01, 80, 39, 70, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff960001b5710 11 bytes [00, 15, FC, FF, 00, 27, C3, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\System32\smss.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\wininit.exe[640] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\csrss.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\winlogon.exe[692] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\services.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\services.exe[736] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\lsass.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\lsass.exe[764] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\dwm.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\dwm.exe[992] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff88197169a 4 bytes [97, 81, F8, 7F] .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff8819716a2 4 bytes [97, 81, F8, 7F] .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff88197181a 4 bytes [97, 81, F8, 7F] .text C:\Windows\system32\atiesrxx.exe[96] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff881971832 4 bytes [97, 81, F8, 7F] .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\System32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\System32\svchost.exe[500] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\System32\svchost.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\System32\svchost.exe[560] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\svchost.exe[552] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\svchost.exe[804] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff88197169a 4 bytes [97, 81, F8, 7F] .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff8819716a2 4 bytes [97, 81, F8, 7F] .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff88197181a 4 bytes [97, 81, F8, 7F] .text C:\Windows\system32\atieclxx.exe[1072] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff881971832 4 bytes [97, 81, F8, 7F] .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\WLANExt.exe[1372] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\conhost.exe[1388] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\System32\spoolsv.exe[1052] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\IProsetMonitor.exe[2144] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\system32\PsApi.dll!GetModuleBaseNameA + 506 00007ff88197169a 4 bytes [97, 81, F8, 7F] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\system32\PsApi.dll!GetModuleBaseNameA + 514 00007ff8819716a2 4 bytes [97, 81, F8, 7F] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\system32\PsApi.dll!QueryWorkingSet + 118 00007ff88197181a 4 bytes [97, 81, F8, 7F] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[2228] C:\Windows\system32\PsApi.dll!QueryWorkingSet + 142 00007ff881971832 4 bytes [97, 81, F8, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007ff88197169a 4 bytes [97, 81, F8, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007ff8819716a2 4 bytes [97, 81, F8, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007ff88197181a 4 bytes [97, 81, F8, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2352] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007ff881971832 4 bytes [97, 81, F8, 7F] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\system32\PsApi.dll!GetModuleBaseNameA + 506 00007ff88197169a 4 bytes [97, 81, F8, 7F] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\system32\PsApi.dll!GetModuleBaseNameA + 514 00007ff8819716a2 4 bytes [97, 81, F8, 7F] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\system32\PsApi.dll!QueryWorkingSet + 118 00007ff88197181a 4 bytes [97, 81, F8, 7F] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[2708] C:\Windows\system32\PsApi.dll!QueryWorkingSet + 142 00007ff881971832 4 bytes [97, 81, F8, 7F] .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\svchost.exe[3252] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\svchost.exe[3424] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\SearchIndexer.exe[2600] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\taskhost.exe[2892] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\Explorer.EXE[1408] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\taskhostex.exe[2896] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\System32\skydrive.exe[3964] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\System32\RuntimeBroker.exe[4476] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4924] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff88197169a 4 bytes [97, 81, F8, 7F] .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff8819716a2 4 bytes [97, 81, F8, 7F] .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff88197181a 4 bytes [97, 81, F8, 7F] .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[5000] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff881971832 4 bytes [97, 81, F8, 7F] .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\wbem\unsecapp.exe[4464] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3624] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3624] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff88197169a 4 bytes [97, 81, F8, 7F] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3624] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff8819716a2 4 bytes [97, 81, F8, 7F] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3624] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff88197181a 4 bytes [97, 81, F8, 7F] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3624] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff881971832 4 bytes [97, 81, F8, 7F] .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\System32\SettingSyncHost.exe[5344] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff881f0adb0 5 bytes JMP 00007ff902030460 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ff881f0ae00 5 bytes JMP 00007ff902030450 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff881f0af60 5 bytes JMP 00007ff902030370 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff881f0afb0 5 bytes JMP 00007ff902030470 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff881f0afc0 5 bytes JMP 00007ff9020303e0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ff881f0b070 5 bytes JMP 00007ff902030320 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff881f0b0a0 5 bytes JMP 00007ff9020303b0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff881f0b0c0 5 bytes JMP 00007ff902030390 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff881f0b100 5 bytes JMP 00007ff9020302e0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff881f0b180 5 bytes JMP 00007ff9020302d0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ff881f0b1a0 5 bytes JMP 00007ff902030310 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ff881f0b1e0 5 bytes JMP 00007ff9020303c0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff881f0b230 5 bytes JMP 00007ff9020303f0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff881f0b390 5 bytes JMP 00007ff902030230 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff881f0b580 5 bytes JMP 00007ff902030480 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff881f0b5b0 5 bytes JMP 00007ff9020303a0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff881f0b6d0 5 bytes JMP 00007ff9020302f0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff881f0b6f0 5 bytes JMP 00007ff902030350 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff881f0b760 5 bytes JMP 00007ff902030290 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff881f0b7f0 5 bytes JMP 00007ff9020302b0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff881f0b810 5 bytes JMP 00007ff9020303d0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff881f0b820 5 bytes JMP 00007ff902030330 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff881f0b8d0 5 bytes JMP 00007ff902030410 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff881f0b900 5 bytes JMP 00007ff902030240 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff881f0bc20 5 bytes JMP 00007ff9020301e0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff881f0bce0 5 bytes JMP 00007ff902030250 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff881f0bd10 5 bytes JMP 00007ff902030490 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff881f0bd20 5 bytes JMP 00007ff9020304a0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff881f0bd50 5 bytes JMP 00007ff902030300 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff881f0bd60 5 bytes JMP 00007ff902030360 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff881f0bdc0 5 bytes JMP 00007ff9020302a0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff881f0be10 5 bytes JMP 00007ff9020302c0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ff881f0be40 5 bytes JMP 00007ff902030380 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff881f0be50 5 bytes JMP 00007ff902030340 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff881f0c160 5 bytes JMP 00007ff902030440 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff881f0c360 5 bytes JMP 00007ff902030260 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff881f0c370 5 bytes JMP 00007ff902030270 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff881f0c390 5 bytes JMP 00007ff902030400 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff881f0c570 5 bytes JMP 00007ff9020301f0 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff881f0c580 1 byte JMP 00007ff902030210 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState + 2 00007ff881f0c582 3 bytes {JMP 0xffffffff80123c90} .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff881f0c610 5 bytes JMP 00007ff902030200 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff881f0c680 5 bytes JMP 00007ff902030420 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff881f0c690 5 bytes JMP 00007ff902030430 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff881f0c6a0 5 bytes JMP 00007ff902030220 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ff881f0c7b0 5 bytes JMP 00007ff902030280 .text C:\Windows\system32\AUDIODG.EXE[5604] C:\Windows\SYSTEM32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff8819f553d 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [648:672] fffff96000968b90 Thread C:\Windows\Explorer.EXE [1408:5804] 0000000070e66550 Thread C:\Program Files (x86)\Sapphire TRIXX\TRIXX.exe [1608:4216] 000000006bcda301 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (*** suspicious ***) @ C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [1684] (WindowsProtectManger Service/Fuyu LIMITED)(2014-08-30 03:11:59) 0000000000e10000 Library C:\Program Files\WindowsApps\Microsoft.SkypeApp_3.1.0.1005_x86__kzf8qxf38zg5c\Microsoft.PerfTrack.dll (*** suspicious ***) @ C:\Windows\syswow64\wwahost.exe [2296] (Microsoft.PerfTrack.dll/Microsoft Corporation)(2014-07-25 23:05:20) 00000000693e0000 Library C:\Program Files\WindowsApps\Microsoft.SkypeApp_3.1.0.1005_x86__kzf8qxf38zg5c\LibWrap.dll (*** suspicious ***) @ C:\Windows\syswow64\wwahost.exe [2296] (Microsoft Skype/Microsoft Corporation)(2014-08-13 13:27:06) 00000000615e0000 Library C:\Program Files\WindowsApps\Microsoft.SkypeApp_3.1.0.1005_x86__kzf8qxf38zg5c\MicrosoftAdvertising.dll (*** suspicious ***) @ C:\Windows\syswow64\wwahost.exe [2296] (Microsoft Advertising Native SDK for Windows 8/Microsoft Corporation)(2014-07-25 23:05:20) 000000005a4d0000 ---- Services - GMER 2.1 ---- Service C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (*** hidden *** ) [AUTO] gupdate <-- ROOTKIT !!! Service C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (*** hidden *** ) [MANUAL] gupdatem <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings@StringCacheGeneration 374 Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9A2537F4-9F32-4121-A9C6-48A052F777AE}\Connection@Name isatap.csc.tvgvt Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\Everson\AppData\Local\Temp\167E.tmp?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1947037410 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\240a64395213 Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdate Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdate@Type 16 Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdate@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdate@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdate@ImagePath "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdate@DisplayName Servi?o do Google Update (gupdate) Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdate@DependOnService RPCSS? Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdate@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdate@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdate@Description Mant?m o seu software do Google atualizado. Se este servi?o for desativado ou interrompido, o seu software do Google n?o ser? mantido atualizado, o que significa que vulnerabilidades que poder?o surgir na seguran?a n?o ser?o reparadas e recursos poder?o n?o funcionar. Este servi?o ? desinstalado automaticamente quando n?o est? sendo usado por nenhum software do Google. Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdate@DelayedAutostart 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdate Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdatem Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdatem@Type 16 Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdatem@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdatem@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdatem@ImagePath "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdatem@DisplayName Servi?o do Google Update (gupdatem) Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdatem@DependOnService RPCSS? Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdatem@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdatem@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdatem@Description Mant?m o seu software do Google atualizado. Se este servi?o for desativado ou interrompido, o seu software do Google n?o ser? mantido atualizado, o que significa que vulnerabilidades que poder?o surgir na seguran?a n?o ser?o reparadas e recursos poder?o n?o funcionar. Este servi?o ? desinstalado automaticamente quando n?o est? sendo usado por nenhum software do Google. Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdatem@DelayedAutostart 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\gupdatem Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{9A2537F4-9F32-4121-A9C6-48A052F777AE}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{9A2537F4-9F32-4121-A9C6-48A052F777AE}@DefunctTimestamp 0x24 0xE9 0x2D 0x54 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1921 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 995 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{79B4F874-FA93-49EA-AD8D-3DF36B30C2BA} v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=128:*|App=System|Name=@IpHlpSvc.dll,-502|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-25000| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{D5AA827E-0E64-47D5-9BEA-7C20A1C4BF71} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=128:*|Name=@IpHlpSvc.dll,-503|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-25000| Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 8248 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 17935 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xE7 0x79 0x5E 0xE6 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xE7 0x79 0x5E 0xE6 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xE7 0x79 0x5E 0xE6 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 69713 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xE7 0x79 0x5E 0xE6 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0xEC 0x17 0x97 0x0A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63547895529090%3bID%3d7B0489E13CE85ABB!111%3bLR%3d63547864980460%3bEP%3d4%3bTD%3dTrue%3bSO%3d0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x4E 0x71 0x2F 0x99 ... ---- EOF - GMER 2.1 ----