GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-08 13:57:07 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MQ01ABF032 rev.AM001A 298,09GB Running: 035i8fv3.exe; Driver: C:\Users\BW\AppData\Local\Temp\uglcyaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 000000014a380460 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 000000014a380450 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 000000014a380370 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 000000014a380470 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 000000014a3803e0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 000000014a380320 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 000000014a3803b0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 000000014a380390 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 000000014a3802e0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 000000014a3802d0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 000000014a380310 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 000000014a3803c0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 000000014a3803f0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 000000014a380230 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 000000014a380480 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 000000014a3803a0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 000000014a3802f0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 000000014a380350 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 000000014a380290 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 000000014a3802b0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 000000014a3803d0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 000000014a380330 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 000000014a380410 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 000000014a380240 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 000000014a3801e0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 000000014a380250 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 000000014a380490 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 000000014a3804a0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 000000014a380300 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 000000014a380360 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 000000014a3802a0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 000000014a3802c0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 000000014a380380 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 000000014a380340 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 000000014a380440 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 000000014a380260 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 000000014a380270 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 000000014a380400 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 000000014a3801f0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 000000014a380210 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 000000014a380200 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 000000014a380420 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 000000014a380430 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 000000014a380220 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 000000014a380280 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\system32\wininit.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\system32\wininit.exe[504] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720ef8d 1 byte [62] .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 000000014a380460 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 000000014a380450 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 000000014a380370 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 000000014a380470 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 000000014a3803e0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 000000014a380320 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 000000014a3803b0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 000000014a380390 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 000000014a3802e0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 000000014a3802d0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 000000014a380310 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 000000014a3803c0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 000000014a3803f0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 000000014a380230 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 000000014a380480 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 000000014a3803a0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 000000014a3802f0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 000000014a380350 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 000000014a380290 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 000000014a3802b0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 000000014a3803d0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 000000014a380330 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 000000014a380410 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 000000014a380240 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 000000014a3801e0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 000000014a380250 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 000000014a380490 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 000000014a3804a0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 000000014a380300 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 000000014a380360 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 000000014a3802a0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 000000014a3802c0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 000000014a380380 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 000000014a380340 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 000000014a380440 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 000000014a380260 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 000000014a380270 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 000000014a380400 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 000000014a3801f0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 000000014a380210 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 000000014a380200 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 000000014a380420 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 000000014a380430 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 000000014a380220 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 000000014a380280 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\system32\services.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\system32\services.exe[564] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720ef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720ef8d 1 byte [62] .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\System32\svchost.exe[884] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\System32\spoolsv.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1544] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007648a2fd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\system32\taskhost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\System32\rundll32.exe[2000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720ef8d 1 byte [62] .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\system32\Dwm.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\Explorer.EXE[1352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\Explorer.EXE[1352] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\system32\svchost.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\System32\igfxtray.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\System32\hkcmd.exe[2704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\System32\igfxpers.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2844] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720ef8d 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\system32\SearchIndexer.exe[2900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Program Files\AVAST Software\Avast\avastui.exe[3012] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076468791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3012] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007648a2fd 1 byte [62] .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[4088] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077421360 5 bytes JMP 0000000077580460 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774213b0 5 bytes JMP 0000000077580450 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077421510 5 bytes JMP 0000000077580370 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077421560 5 bytes JMP 0000000077580470 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077421570 5 bytes JMP 00000000775803e0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077421620 5 bytes JMP 0000000077580320 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077421650 5 bytes JMP 00000000775803b0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077421670 5 bytes JMP 0000000077580390 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774216b0 5 bytes JMP 00000000775802e0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077421730 5 bytes JMP 00000000775802d0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077421750 5 bytes JMP 0000000077580310 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077421790 5 bytes JMP 00000000775803c0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774217e0 5 bytes JMP 00000000775803f0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077421940 5 bytes JMP 0000000077580230 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077421b00 5 bytes JMP 0000000077580480 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077421b30 5 bytes JMP 00000000775803a0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077421c10 5 bytes JMP 00000000775802f0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077421c20 5 bytes JMP 0000000077580350 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077421c80 5 bytes JMP 0000000077580290 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077421d10 5 bytes JMP 00000000775802b0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077421d30 5 bytes JMP 00000000775803d0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077421d40 5 bytes JMP 0000000077580330 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077421db0 5 bytes JMP 0000000077580410 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077421de0 5 bytes JMP 0000000077580240 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774220a0 5 bytes JMP 00000000775801e0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077422160 5 bytes JMP 0000000077580250 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077422190 5 bytes JMP 0000000077580490 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774221a0 5 bytes JMP 00000000775804a0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774221d0 5 bytes JMP 0000000077580300 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774221e0 5 bytes JMP 0000000077580360 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077422240 5 bytes JMP 00000000775802a0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077422290 5 bytes JMP 00000000775802c0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774222c0 5 bytes JMP 0000000077580380 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774222d0 5 bytes JMP 0000000077580340 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774225c0 5 bytes JMP 0000000077580440 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774227c0 5 bytes JMP 0000000077580260 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774227d0 5 bytes JMP 0000000077580270 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774227e0 5 bytes JMP 0000000077580400 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774229a0 5 bytes JMP 00000000775801f0 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774229b0 5 bytes JMP 0000000077580210 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077422a20 5 bytes JMP 0000000077580200 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077422a80 5 bytes JMP 0000000077580420 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077422a90 5 bytes JMP 0000000077580430 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077422aa0 5 bytes JMP 0000000077580220 .text C:\Windows\system32\AUDIODG.EXE[3944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077422b80 5 bytes JMP 0000000077580280 .text C:\Windows\notepad.exe[3956] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007720ef8d 1 byte [62] .text C:\Users\BW\Desktop\035i8fv3.exe[2316] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007648a2fd 1 byte [62] ---- EOF - GMER 2.1 ----