GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-11 17:41:29 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_HD320KJ rev.CP100-12 298,09GB Running: 5r3n95zr.exe; Driver: C:\Users\Patryk\AppData\Local\Temp\kwrdipog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88004028d8c 12 bytes {MOV RAX, 0xfffffa8002ca62a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000149990460 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000149990450 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000149990370 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000149990470 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 00000001499903e0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000149990320 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 00000001499903b0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000149990390 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 00000001499902e0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 00000001499902d0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000149990310 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 00000001499903c0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 00000001499903f0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000149990230 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000149990480 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 00000001499903a0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 00000001499902f0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000149990350 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000149990290 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 00000001499902b0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 00000001499903d0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000149990330 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000149990410 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000149990240 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 00000001499901e0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000149990250 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000149990490 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 00000001499904a0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000149990300 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000149990360 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 00000001499902a0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 00000001499902c0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000149990380 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000149990340 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000149990440 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000149990260 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000149990270 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000149990400 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 00000001499901f0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000149990210 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000149990200 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000149990420 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000149990430 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000149990220 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000149990280 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777def8d 1 byte [62] .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000149990460 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000149990450 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000149990370 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000149990470 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 00000001499903e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000149990320 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 00000001499903b0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000149990390 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 00000001499902e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 00000001499902d0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000149990310 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 00000001499903c0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 00000001499903f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000149990230 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000149990480 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 00000001499903a0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 00000001499902f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000149990350 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000149990290 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 00000001499902b0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 00000001499903d0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000149990330 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000149990410 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000149990240 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 00000001499901e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000149990250 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000149990490 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 00000001499904a0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000149990300 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000149990360 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 00000001499902a0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 00000001499902c0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000149990380 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000149990340 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000149990440 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000149990260 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000149990270 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000149990400 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 00000001499901f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000149990210 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000149990200 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000149990420 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000149990430 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000149990220 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000149990280 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\services.exe[516] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777def8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777def8d 1 byte [62] .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777def8d 1 byte [62] .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\System32\svchost.exe[988] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777def8d 1 byte [62] .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\svchost.exe[252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\svchost.exe[356] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\svchost.exe[356] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777def8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1152] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777def8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777def8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777def8d 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1816] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007703a2fd 1 byte [62] .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\svchost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\System32\svchost.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777def8d 1 byte [62] .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\Dwm.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\Explorer.EXE[2264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\Explorer.EXE[2264] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777def8d 1 byte [62] .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\taskeng.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000100070280 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 00000001002f0460 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 00000001002f0450 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 00000001002f0370 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 00000001002f0470 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 00000001002f03e0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 00000001002f0320 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 00000001002f03b0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 00000001002f0390 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 00000001002f02e0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 00000001002f02d0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 00000001002f0310 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 00000001002f03c0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 00000001002f03f0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 00000001002f0230 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 00000001002f0480 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 00000001002f03a0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 00000001002f02f0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 00000001002f0350 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 00000001002f0290 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 00000001002f02b0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 00000001002f03d0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 00000001002f0330 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 00000001002f0410 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 00000001002f0240 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 00000001002f01e0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 00000001002f0250 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 00000001002f0490 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 00000001002f04a0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 00000001002f0300 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 00000001002f0360 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 00000001002f02a0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 00000001002f02c0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 00000001002f0380 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 00000001002f0340 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 00000001002f0440 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 00000001002f0260 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 00000001002f0270 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 00000001002f0400 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 00000001002f01f0 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 00000001002f0210 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 00000001002f0200 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 00000001002f0420 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 00000001002f0430 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 00000001002f0220 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 00000001002f0280 .text C:\Users\Patryk\Desktop\ipchanger.exe[3048] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777def8d 1 byte [62] .text D:\DAEMON Tools Lite\DTLite.exe[3068] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007703a2fd 1 byte [62] .text C:\Users\Patryk\AppData\Roaming\uTorrent\uTorrent.exe[1664] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007703a2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1932] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000077018791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1932] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007703a2fd 1 byte [62] .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3004] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007703a2fd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\SearchIndexer.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778f1360 5 bytes JMP 0000000077a50460 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778f13b0 5 bytes JMP 0000000077a50450 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778f1510 5 bytes JMP 0000000077a50370 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778f1560 5 bytes JMP 0000000077a50470 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778f1570 5 bytes JMP 0000000077a503e0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778f1620 5 bytes JMP 0000000077a50320 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778f1650 5 bytes JMP 0000000077a503b0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778f1670 5 bytes JMP 0000000077a50390 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778f16b0 5 bytes JMP 0000000077a502e0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778f1730 5 bytes JMP 0000000077a502d0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778f1750 5 bytes JMP 0000000077a50310 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778f1790 5 bytes JMP 0000000077a503c0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778f17e0 5 bytes JMP 0000000077a503f0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778f1940 5 bytes JMP 0000000077a50230 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778f1b00 5 bytes JMP 0000000077a50480 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778f1b30 5 bytes JMP 0000000077a503a0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778f1c10 5 bytes JMP 0000000077a502f0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778f1c20 5 bytes JMP 0000000077a50350 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778f1c80 5 bytes JMP 0000000077a50290 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778f1d10 5 bytes JMP 0000000077a502b0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778f1d30 5 bytes JMP 0000000077a503d0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778f1d40 5 bytes JMP 0000000077a50330 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778f1db0 5 bytes JMP 0000000077a50410 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778f1de0 5 bytes JMP 0000000077a50240 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778f20a0 5 bytes JMP 0000000077a501e0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778f2160 5 bytes JMP 0000000077a50250 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778f2190 5 bytes JMP 0000000077a50490 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f21a0 5 bytes JMP 0000000077a504a0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778f21d0 5 bytes JMP 0000000077a50300 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778f21e0 5 bytes JMP 0000000077a50360 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778f2240 5 bytes JMP 0000000077a502a0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778f2290 5 bytes JMP 0000000077a502c0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778f22c0 5 bytes JMP 0000000077a50380 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778f22d0 5 bytes JMP 0000000077a50340 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778f25c0 5 bytes JMP 0000000077a50440 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778f27c0 5 bytes JMP 0000000077a50260 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778f27d0 5 bytes JMP 0000000077a50270 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778f27e0 5 bytes JMP 0000000077a50400 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778f29a0 5 bytes JMP 0000000077a501f0 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778f29b0 5 bytes JMP 0000000077a50210 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778f2a20 5 bytes JMP 0000000077a50200 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778f2a80 5 bytes JMP 0000000077a50420 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778f2a90 5 bytes JMP 0000000077a50430 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778f2aa0 5 bytes JMP 0000000077a50220 .text C:\Windows\system32\AUDIODG.EXE[2672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778f2b80 5 bytes JMP 0000000077a50280 .text C:\Users\Patryk\Downloads\5r3n95zr.exe[700] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007703a2fd 1 byte [62] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff8800110b650] \SystemRoot\System32\Drivers\spmo.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff8800110b5dc] \SystemRoot\System32\Drivers\spmo.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010d635c] \SystemRoot\System32\Drivers\spmo.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010d6224] \SystemRoot\System32\Drivers\spmo.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010d6a24] \SystemRoot\System32\Drivers\spmo.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010d6ba0] \SystemRoot\System32\Drivers\spmo.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort4 fffffa80025b02c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80025b02c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa80025b02c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80025b02c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80025b02c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80025b02c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80025b02c0 Device \Driver\abfovvfz \Device\Scsi\abfovvfz1 fffffa8002fa42c0 Device \Driver\abfovvfz \Device\Scsi\abfovvfz1Port6Path0Target0Lun0 fffffa8002fa42c0 Device \FileSystem\Ntfs \Ntfs fffffa80025b42c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa8002f042c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{8F4B9214-26AE-4180-85C3-86B1A5F610F4} fffffa800297f2c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa8002ca42c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa8002f042c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa8002ca42c0 Device \Driver\cdrom \Device\CdRom0 fffffa80032d22c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa8002ca42c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa8002ca42c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa8002ca42c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa8002ca42c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa8002f042c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa8002ca42c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa8002f042c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa8002ca42c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80025ac2c0 Device \Driver\volmgr \Device\FtControl fffffa80025ac2c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80025ac2c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80025ac2c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80025ac2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800297f2c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa8002ca42c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa8002ca42c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80025b02c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa8002ca42c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa8002ca42c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80025b02c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80025b02c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80025b02c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80025b02c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80025b02c0 Device \Driver\abfovvfz \Device\ScsiPort6 fffffa8002fa42c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80025b02c0]<< spmo.sys ataport.SYS pciide.sys fffffa80025b02c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8002890400] fffffa8002890400 Trace 3 CLASSPNP.SYS[fffff880013cb43f] -> nt!IofCallDriver -> [0xfffffa8002754520] fffffa8002754520 Trace 5 ACPI.sys[fffff8800103a7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8002756060] fffffa8002756060 Trace \Driver\atapi[0xfffffa800271a060] -> IRP_MJ_CREATE -> 0xfffffa80025b02c0 fffffa80025b02c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\abfovvfz.SYS fffff88005585000-fffff880055ca000 (282624 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5D 0x68 0x4B 0x71 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x40 0x13 0x25 0x3C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBB 0x45 0x4E 0x94 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5D 0x68 0x4B 0x71 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x40 0x13 0x25 0x3C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBB 0x45 0x4E 0x94 ... ---- Files - GMER 2.1 ---- File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS003C1.log 1048576 bytes ---- EOF - GMER 2.1 ----