GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-01-31 06:06:56 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST500DM002-1BD142 rev.KC45 465,76GB Running: xsuhei6j.exe; Driver: C:\Users\Filip\AppData\Local\Temp\ugloypod.sys ---- User code sections - GMER 2.0 ---- .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000149c50440 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000149c50430 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000149c50450 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0xffffffffd239ee90} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000149c503b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000149c50320 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000149c50380 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000149c502e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000149c50410 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000149c502d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000149c50310 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000149c50390 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000149c503c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000149c50230 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0xffffffffd239e890} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000149c50460 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000149c50370 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000149c502f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000149c50350 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000149c50290 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000149c502b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000149c503a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000149c50330 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0xffffffffd239e590} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000149c503e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000149c50240 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000149c501e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000149c50250 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0xffffffffd239e090} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000149c50470 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000149c50480 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000149c50300 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000149c50360 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000149c502a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000149c502c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000149c50340 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000149c50420 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000149c50260 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000149c50270 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000149c503d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0xffffffffd239db90} .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000149c501f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000149c50210 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000149c50200 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000149c503f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000149c50400 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000149c50220 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000149c50280 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\wininit.exe[464] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0xffffffff8886ee90} .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0xffffffff8886e890} .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0xffffffff8886e590} .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0xffffffff8886e090} .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0xffffffff8886db90} .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\services.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\services.exe[536] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\winlogon.exe[572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\nvvsvc.exe[788] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\System32\svchost.exe[916] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\System32\svchost.exe[956] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0xffffffff887bee90} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0xffffffff887be890} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0xffffffff887be590} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0xffffffff887be090} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0xffffffff887bdb90} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\nvvsvc.exe[1296] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\System32\spoolsv.exe[1336] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\svchost.exe[1364] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\taskhost.exe[1496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\Dwm.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\svchost.exe[1848] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] ? C:\Program Files\EslWire\service\WireHelperSvc.exe [1984] entry point in ".vmp1" section 000000013fdeafbf .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Program Files\EslWire\service\WireHelperSvc.exe[1984] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\Explorer.EXE[1792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\SysWow64\perfhost.exe[2112] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa30a 1 byte [62] .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\System32\snmp.exe[2152] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2208] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\svchost.exe[2236] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3036] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[2404] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2796] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa30a 1 byte [62] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[2788] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa30a 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\SearchIndexer.exe[3168] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\AUDIODG.EXE[1856] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\SearchProtocolHost.exe[2528] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778b13c0 5 bytes JMP 0000000077a10440 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778b1410 5 bytes JMP 0000000077a10430 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778b15c0 1 byte JMP 0000000077a10450 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000778b15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778b15d0 5 bytes JMP 0000000077a103b0 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778b1680 5 bytes JMP 0000000077a10320 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778b16b0 5 bytes JMP 0000000077a10380 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778b1710 5 bytes JMP 0000000077a102e0 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778b1760 5 bytes JMP 0000000077a10410 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778b1790 5 bytes JMP 0000000077a102d0 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778b17b0 5 bytes JMP 0000000077a10310 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778b17f0 5 bytes JMP 0000000077a10390 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778b1840 5 bytes JMP 0000000077a103c0 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778b19a0 1 byte JMP 0000000077a10230 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778b1b60 5 bytes JMP 0000000077a10460 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778b1b90 5 bytes JMP 0000000077a10370 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778b1c70 5 bytes JMP 0000000077a102f0 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778b1c80 5 bytes JMP 0000000077a10350 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778b1ce0 5 bytes JMP 0000000077a10290 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778b1d70 5 bytes JMP 0000000077a102b0 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778b1d90 5 bytes JMP 0000000077a103a0 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778b1da0 1 byte JMP 0000000077a10330 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778b1e10 5 bytes JMP 0000000077a103e0 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778b1e40 5 bytes JMP 0000000077a10240 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778b2100 5 bytes JMP 0000000077a101e0 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778b21c0 1 byte JMP 0000000077a10250 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778b21f0 5 bytes JMP 0000000077a10470 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778b2200 5 bytes JMP 0000000077a10480 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778b2230 5 bytes JMP 0000000077a10300 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778b2240 5 bytes JMP 0000000077a10360 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778b22a0 5 bytes JMP 0000000077a102a0 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778b22f0 5 bytes JMP 0000000077a102c0 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778b2330 5 bytes JMP 0000000077a10340 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778b2620 5 bytes JMP 0000000077a10420 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778b2820 5 bytes JMP 0000000077a10260 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778b2830 5 bytes JMP 0000000077a10270 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778b2840 1 byte JMP 0000000077a103d0 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00000000778b2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778b2a00 5 bytes JMP 0000000077a101f0 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778b2a10 5 bytes JMP 0000000077a10210 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778b2a80 5 bytes JMP 0000000077a10200 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778b2ae0 5 bytes JMP 0000000077a103f0 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778b2af0 5 bytes JMP 0000000077a10400 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778b2b00 5 bytes JMP 0000000077a10220 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778b2be0 5 bytes JMP 0000000077a10280 .text C:\Windows\system32\SearchFilterHost.exe[3788] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772deecd 1 byte [62] .text C:\Users\Filip\Desktop\xsuhei6j.exe[3976] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa30a 1 byte [62] ---- EOF - GMER 2.0 ----