GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-10-12 13:31:22 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD322HJ rev.1AC01108 298,09GB Running: m57g1hli.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff880053aec34 12 bytes {MOV RAX, 0xfffffa8004f8f2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 0000000149b90460 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 0000000149b90450 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 0000000149b90370 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 0000000149b90470 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 0000000149b903e0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 0000000149b90320 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 0000000149b903b0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 0000000149b90390 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 0000000149b902e0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 0000000149b902d0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 0000000149b90310 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 0000000149b903c0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 0000000149b903f0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 0000000149b90230 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 0000000149b90480 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 0000000149b903a0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 0000000149b902f0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 0000000149b90350 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 0000000149b90290 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 0000000149b902b0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 0000000149b903d0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 0000000149b90330 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 0000000149b90410 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 0000000149b90240 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 0000000149b901e0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 0000000149b90250 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 0000000149b90490 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 0000000149b904a0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 0000000149b90300 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 0000000149b90360 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 0000000149b902a0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 0000000149b902c0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 0000000149b90380 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 0000000149b90340 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 0000000149b90440 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 0000000149b90260 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 0000000149b90270 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 0000000149b90400 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 0000000149b901f0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 0000000149b90210 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 0000000149b90200 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 0000000149b90420 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 0000000149b90430 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 0000000149b90220 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 0000000149b90280 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\wininit.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\wininit.exe[552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 0000000100120280 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\services.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\services.exe[612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\lsass.exe[636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\lsm.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\winlogon.exe[700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[892] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e2b0c5 1 byte [62] .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\svchost.exe[924] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\System32\svchost.exe[120] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\System32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\System32\svchost.exe[372] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[480] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\AUDIODG.EXE[1036] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1248] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 0000000100060460 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 0000000100060450 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 0000000100060370 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 0000000100060470 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 0000000100060320 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000001000603b0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 0000000100060390 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 0000000100060310 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000001000603c0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 0000000100060230 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 0000000100060480 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000001000603a0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 0000000100060350 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 0000000100060290 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000001000603d0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 0000000100060330 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 0000000100060410 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 0000000100060240 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000001000601e0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 0000000100060250 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 0000000100060490 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000001000604a0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 0000000100060300 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 0000000100060360 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000001000602a0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000001000602c0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 0000000100060380 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 0000000100060340 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 0000000100060440 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 0000000100060260 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 0000000100060270 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 0000000100060400 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000001000601f0 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 0000000100060210 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 0000000100060200 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 0000000100060420 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 0000000100060430 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 0000000100060220 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 0000000100060280 .text C:\Windows\system32\nvvsvc.exe[1260] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\Explorer.EXE[1636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\Explorer.EXE[1636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\taskhost.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe[2024] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e2b0c5 1 byte [62] .text C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE[1072] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e2b0c5 1 byte [62] .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2272] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Program Files (x86)\EXPERTool\TBPANEL.exe[2320] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e2b0c5 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Program Files\Windows Sidebar\sidebar.exe[2732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2960] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe[2992] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e2b0c5 1 byte [62] .text C:\Program Files (x86)\Winamp\winampa.exe[3000] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e2b0c5 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075e0d03c 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e2b0c5 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bb1401 2 bytes JMP 75e1eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bb1419 2 bytes JMP 75e2b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bb1431 2 bytes JMP 75ea8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bb144a 2 bytes CALL 75e01dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bb14dd 2 bytes JMP 75ea7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bb14f5 2 bytes JMP 75ea80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bb150d 2 bytes JMP 75ea7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bb1525 2 bytes JMP 75ea81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bb153d 2 bytes JMP 75e1f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bb1555 2 bytes JMP 75e2b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bb156d 2 bytes JMP 75ea86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bb1585 2 bytes JMP 75ea8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bb159d 2 bytes JMP 75ea7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bb15b5 2 bytes JMP 75e1f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bb15cd 2 bytes JMP 75e2b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bb16b2 2 bytes JMP 75ea8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bb16bd 2 bytes JMP 75ea7d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\SearchIndexer.exe[3384] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[3512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 00000000779c0460 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 00000000779c0450 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 00000000779c0370 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 00000000779c0470 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000000779c03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 00000000779c0320 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000000779c03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 00000000779c0390 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000000779c02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000000779c02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 00000000779c0310 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000000779c03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000000779c03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 00000000779c0230 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 00000000779c0480 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000000779c03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000000779c02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 00000000779c0350 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 00000000779c0290 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000000779c02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000000779c03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 00000000779c0330 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 00000000779c0410 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 00000000779c0240 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000000779c01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 00000000779c0250 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 00000000779c0490 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000000779c04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 00000000779c0300 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 00000000779c0360 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000000779c02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000000779c02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 00000000779c0380 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 00000000779c0340 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 00000000779c0440 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 00000000779c0260 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 00000000779c0270 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 00000000779c0400 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000000779c01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 00000000779c0210 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 00000000779c0200 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 00000000779c0420 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 00000000779c0430 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 00000000779c0220 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 00000000779c0280 .text C:\Windows\system32\wbem\wmiprvse.exe[3164] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007785ff60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007785ffb0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077860110 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077860160 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077860170 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077860220 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077860250 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077860270 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778602b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077860330 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077860350 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077860390 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778603e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077860540 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077860700 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077860730 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077860810 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077860820 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077860880 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077860910 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077860930 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077860940 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778609b0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778609e0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077860ca0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077860d60 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077860d90 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077860da0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077860dd0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077860de0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077860e40 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077860e90 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077860ec0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077860ed0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778611c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778613c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778613d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778613e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778615a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778615b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077861620 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077861680 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077861690 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778616a0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077861780 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[3708] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007764f1bd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e2b0c5 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bb1401 2 bytes JMP 75e1eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bb1419 2 bytes JMP 75e2b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bb1431 2 bytes JMP 75ea8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bb144a 2 bytes CALL 75e01dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bb14dd 2 bytes JMP 75ea7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bb14f5 2 bytes JMP 75ea80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bb150d 2 bytes JMP 75ea7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bb1525 2 bytes JMP 75ea81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bb153d 2 bytes JMP 75e1f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bb1555 2 bytes JMP 75e2b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bb156d 2 bytes JMP 75ea86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bb1585 2 bytes JMP 75ea8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bb159d 2 bytes JMP 75ea7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bb15b5 2 bytes JMP 75e1f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bb15cd 2 bytes JMP 75e2b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bb16b2 2 bytes JMP 75ea8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1364] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bb16bd 2 bytes JMP 75ea7d4d C:\Windows\syswow64\kernel32.dll .text C:\Users\User\Desktop\m57g1hli.exe[4208] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075e2b0c5 1 byte [62] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff880010e1650] \SystemRoot\System32\Drivers\spry.sys [unknown section] IAT C:\Windows\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010e15dc] \SystemRoot\System32\Drivers\spry.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010ac35c] \SystemRoot\System32\Drivers\spry.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010ac224] \SystemRoot\System32\Drivers\spry.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010aca24] \SystemRoot\System32\Drivers\spry.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010acba0] \SystemRoot\System32\Drivers\spry.sys [unknown section] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef88b741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef88b5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef88b5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef88b5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef88b7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef88b6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef88b6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef88b7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef88b7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef88b78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef88b4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef88b5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef88b7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80046ce2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80046ce2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80046ce2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80046ce2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80046ce2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80046ce2c0 Device \FileSystem\Ntfs \Ntfs fffffa80046d22c0 Device \Driver\usbehci \Device\USBPDO-5 fffffa8004f872c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa8004f852c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa8004f852c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004d2b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9DE36D26-C1CB-4BF3-8327-46E360030919} fffffa8004c9b2c0 Device \Driver\usbohci \Device\USBPDO-6 fffffa8004f852c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa8004f852c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004f852c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa8004f872c0 Device \Driver\usbehci \Device\USBFDO-5 fffffa8004f872c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa8004f852c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa8004f852c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80046ca2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{46BFBCE5-3AE4-4105-8FB4-A0B70FD71F45} fffffa8004c9b2c0 Device \Driver\volmgr \Device\FtControl fffffa80046ca2c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80046ca2c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80046ca2c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80046ca2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004c9b2c0 Device \Driver\usbohci \Device\USBFDO-6 fffffa8004f852c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa8004f852c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa8004f872c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80046ce2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8004f852c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80046ce2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80046ce2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80046ce2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80046ce2c0]<< spry.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80046ce2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004aa4060] fffffa8004aa4060 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa800480a520] fffffa800480a520 Trace 5 ACPI.sys[fffff8800100b781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800480c060] fffffa800480c060 Trace \Driver\atapi[0xfffffa8004795b70] -> IRP_MJ_CREATE -> 0xfffffa80046ce2c0 fffffa80046ce2c0 ---- Processes - GMER 2.1 ---- Library ̀÷< PH (*** suspicious ***) @ C:\ProgramData\NVIDIA\Updatus\Packages\0000175b\drsupdate.14225440_RUNASUSER.exe [4600] 0000000010000000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA1 0xFD 0x11 0xB0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time.windows.com,7c86ddb??????????? Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA1 0xFD 0x11 0xB0 ... ---- Files - GMER 2.1 ---- File C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\m88yv9dr.default\cache2\entries\2BAA1C318C724842225C0F214C855F957C28DAA4 4745 bytes File C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\m88yv9dr.default\cache2\entries\097A819AA10854DFB77DAD8AD04035BA97E08E52 4745 bytes File C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\m88yv9dr.default\cache2\entries\DBCC9167EDF21D770CDB5777155F97B9F7ACCDFC 3220 bytes File C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\m88yv9dr.default\cache2\entries\618520D8513B2B7307BAE1E109EF701DF4A3D396 4725 bytes ---- EOF - GMER 2.1 ----