GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-11 11:47:59 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Samsung_SSD_840_EVO_250GB rev.EXT0BB0Q 232,89GB Running: cttz9q5r.exe; Driver: C:\Users\user\AppData\Local\Temp\aftcaaob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002e09000 45 bytes [00, 00, 51, 02, 54, 68, 72, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002e0902f 16 bytes [00, 02, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 000000014a170460 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 000000014a170450 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 000000014a170370 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 000000014a170470 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 000000014a1703e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 000000014a170320 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 000000014a1703b0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 000000014a170390 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 000000014a1702e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 000000014a1702d0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 000000014a170310 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 000000014a1703c0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 000000014a1703f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 000000014a170230 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 000000014a170480 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 000000014a1703a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 000000014a1702f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 000000014a170350 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 000000014a170290 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 000000014a1702b0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 000000014a1703d0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 000000014a170330 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 000000014a170410 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 000000014a170240 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 000000014a1701e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 000000014a170250 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 000000014a170490 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 000000014a1704a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 000000014a170300 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 000000014a170360 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 000000014a1702a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 000000014a1702c0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 000000014a170380 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 000000014a170340 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 000000014a170440 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 000000014a170260 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 000000014a170270 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 000000014a170400 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 000000014a1701f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 000000014a170210 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 000000014a170200 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 000000014a170420 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 000000014a170430 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 000000014a170220 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 000000014a170280 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\wininit.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\wininit.exe[656] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 000000014a170460 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 000000014a170450 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 000000014a170370 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 000000014a170470 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 000000014a1703e0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 000000014a170320 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 000000014a1703b0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 000000014a170390 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 000000014a1702e0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 000000014a1702d0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 000000014a170310 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 000000014a1703c0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 000000014a1703f0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 000000014a170230 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 000000014a170480 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 000000014a1703a0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 000000014a1702f0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 000000014a170350 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 000000014a170290 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 000000014a1702b0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 000000014a1703d0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 000000014a170330 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 000000014a170410 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 000000014a170240 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 000000014a1701e0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 000000014a170250 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 000000014a170490 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 000000014a1704a0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 000000014a170300 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 000000014a170360 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 000000014a1702a0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 000000014a1702c0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 000000014a170380 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 000000014a170340 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 000000014a170440 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 000000014a170260 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 000000014a170270 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 000000014a170400 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 000000014a1701f0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 000000014a170210 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 000000014a170200 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 000000014a170420 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 000000014a170430 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 000000014a170220 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 000000014a170280 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\winlogon.exe[720] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\services.exe[756] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe[944] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\nvvsvc.exe[192] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\svchost.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\System32\svchost.exe[196] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\svchost.exe[1112] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\AUDIODG.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000100070460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000100070450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000100070370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000100070470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000001000703e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000100070320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000001000703b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000100070390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000001000702e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000001000702d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000100070310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000001000703c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000001000703f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000100070230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000100070480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000001000703a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000001000702f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000100070350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000100070290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000001000702b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000001000703d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000100070330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000100070410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000100070240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000001000701e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000100070250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000100070490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000001000704a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000100070300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000100070360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000001000702a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000001000702c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000100070380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000100070340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000100070440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000100070260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000100070270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000100070400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000001000701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000100070210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000100070200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000100070420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000100070430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000100070220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000100070280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\nvvsvc.exe[1520] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe[1872] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\Dwm.exe[1884] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\Explorer.EXE[1948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\System32\spoolsv.exe[2028] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\taskhost.exe[1108] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1820] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000760a8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1820] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e71465 2 bytes [E7, 74] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e714bb 2 bytes [E7, 74] .text ... * 2 .text C:\Windows\system32\dolsrvcbar2.exe[2156] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Windows\system32\dol_start.exe[2192] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2244] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\xampp\apache\bin\httpd.exe[2304] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2404] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e71465 2 bytes [E7, 74] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e714bb 2 bytes [E7, 74] .text ... * 2 .text C:\Program Files (x86)\IVONA\IVONA ControlCenter\IVONA ControlCenter.exe[2416] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\IVONA\IVONA ControlCenter\IVONA ControlCenter.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e71465 2 bytes [E7, 74] .text C:\Program Files (x86)\IVONA\IVONA ControlCenter\IVONA ControlCenter.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e714bb 2 bytes [E7, 74] .text ... * 2 .text C:\Program Files (x86)\OLYMPUS\DeviceDetector\DeviceDetector4.exe[2440] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\OLYMPUS\DeviceDetector\DeviceDetector4.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e71465 2 bytes [E7, 74] .text C:\Program Files (x86)\OLYMPUS\DeviceDetector\DeviceDetector4.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e714bb 2 bytes [E7, 74] .text ... * 2 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007706f9e0 5 bytes JMP 000000016f9ff270 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 000000007706fa28 5 bytes JMP 000000016f9ff8d2 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007706fa40 5 bytes JMP 000000016f9fe00d .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 000000007706fa90 5 bytes JMP 000000016f9fdb69 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007706faa8 5 bytes JMP 000000016f9fde5a .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 000000007706fb40 5 bytes JMP 000000016f9ffb12 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007706fc38 5 bytes JMP 000000016fa0accc .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007706fd4c 5 bytes JMP 000000016f9fd9b1 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007706fd64 5 bytes JMP 000000016fa0a2ee .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007706fd98 5 bytes JMP 000000016fa0a5e9 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007706fe44 5 bytes JMP 000000016f9fee45 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007706fe5c 5 bytes JMP 000000016fa0a417 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770700b4 5 bytes JMP 000000016fa0a133 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000770701c4 5 bytes JMP 000000016f9fe1b5 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 0000000077070754 5 bytes JMP 000000016f9ffbb4 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000770709e4 5 bytes JMP 000000016fa0a32b .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000770709fc 5 bytes JMP 000000016f9fd785 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077070a44 5 bytes JMP 000000016f9fe36b .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077070b80 5 bytes JMP 000000016f9fd89b .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077070f70 5 bytes JMP 000000016f9fe7f8 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077070f88 5 bytes JMP 000000016f9fe994 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077071018 5 bytes JMP 000000016f9ff95f .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 0000000077071030 5 bytes JMP 000000016f9ffa82 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 0000000077071048 5 bytes JMP 000000016f9ff9ef .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 000000007707133c 5 bytes JMP 000000016fa0a500 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 000000007707147c 5 bytes JMP 000000016f9fe66b .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077071528 5 bytes JMP 000000016f9feb58 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077071718 5 bytes JMP 000000016f9fe4e3 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077071a58 5 bytes JMP 000000016f9fdd12 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077071b9c 5 bytes JMP 000000016f9fecda .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\kernel32.dll!CreateProcessW 00000000760a103d 5 bytes JMP 000000016f9e35da .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000760a1072 5 bytes JMP 000000016f9e3a3e .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 00000000760cc9b5 5 bytes JMP 000000016f9e36f4 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076122ff1 5 bytes JMP 000000016f9e3938 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076862642 5 bytes JMP 000000016f9e3c4b .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7 00000000765bea09 7 bytes JMP 000000016fa1e7f9 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ole32.dll!OleRun 00000000765c07de 5 bytes JMP 000000016fa1e338 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 00000000765c21e1 5 bytes JMP 000000016fa21c0c .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ole32.dll!OleUninitialize 00000000765ceba1 6 bytes JMP 000000016fa1e2af .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ole32.dll!OleInitialize 00000000765cefd7 5 bytes JMP 000000016fa1e267 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000765e54ad 5 bytes JMP 000000016fa20282 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ole32.dll!CoInitializeEx 00000000765f09ad 5 bytes JMP 000000016fa1e207 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ole32.dll!CoUninitialize 00000000765f86d3 5 bytes JMP 000000016fa20c96 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000765f9d0b 5 bytes JMP 000000016fa219b3 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000765f9d4e 5 bytes JMP 000000016fa1f891 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 000000007661bb09 7 bytes JMP 000000016fa1e380 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 000000007663eacf 5 bytes JMP 000000016fa1ff46 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile 000000007667340b 5 bytes JMP 000000016fa20d96 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc 00000000766bcfd9 5 bytes JMP 000000016fa1e2f0 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\OLEAUT32.dll!RegisterActiveObject 0000000074e1279e 1 byte JMP 000000016fa208a2 .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\OLEAUT32.dll!RegisterActiveObject + 2 0000000074e127a0 3 bytes {JMP RAX} .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\OLEAUT32.dll!RevokeActiveObject 0000000074e13294 5 bytes JMP 000000016fa1e1bf .text C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE[2472] C:\Windows\syswow64\OLEAUT32.dll!GetActiveObject 0000000074e28f40 5 bytes JMP 000000016fa20a36 .text C:\Program Files (x86)\ASUS\AXSP\1.01.01\atkexComSvc.exe[2588] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2596] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\Genius\Maurus\mousehid.exe[2688] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[2740] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2760] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e71465 2 bytes [E7, 74] .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e714bb 2 bytes [E7, 74] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2776] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000760a8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2776] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe[2328] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[2424] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\xampp\filezillaftp\filezillaserver.exe[3156] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\xampp\apache\bin\httpd.exe[3248] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000100070460 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000100070450 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000100070370 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000100070470 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000001000703e0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000100070320 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000001000703b0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000100070390 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000001000702e0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000001000702d0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000100070310 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000001000703c0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000001000703f0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000100070230 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000100070480 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000001000703a0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000001000702f0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000100070350 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000100070290 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000001000702b0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000001000703d0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000100070330 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000100070410 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000100070240 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000001000701e0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000100070250 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000100070490 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000001000704a0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000100070300 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000100070360 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000001000702a0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000001000702c0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000100070380 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000100070340 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000100070440 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000100070260 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000100070270 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000100070400 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000001000701f0 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000100070210 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000100070200 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000100070420 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000100070430 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000100070220 .text C:\Program Files\Microsoft LifeCam\MSCamS64.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3440] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3504] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3520] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\conhost.exe[4644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Program Files (x86)\Genius\Maurus\trayicon.exe[4968] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\svchost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\wbem\wmiprvse.exe[5556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe[5008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[5076] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Users\user\Downloads\cttz9q5r.exe[4560] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760ca2fd 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\Explorer.EXE [1948:1936] 00000000707d1b80 Thread C:\Windows\Explorer.EXE [1948:2684] 000007fef4062154 Thread C:\Windows\Explorer.EXE [1948:2860] 000007fefb566204 Thread C:\Windows\Explorer.EXE [1948:5940] 000007feef823824 Thread C:\Windows\Explorer.EXE [1948:2284] 000007feeeec2118 Thread C:\Windows\Explorer.EXE [1948:6332] 000007feefb1a3f8 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3448] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3460] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3464] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3468] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3472] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3480] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3484] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3512] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3516] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3532] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3536] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3540] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3544] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3548] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3552] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4100] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4104] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4132] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4156] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4160] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4184] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4480] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4484] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4524] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4528] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4536] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4540] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4544] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4548] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4772] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4792] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4920] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4952] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:3416] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4512] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4452] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4448] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4328] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4336] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4348] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4280] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:4180] 000000006a5e3810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [3308:6052] 000000006a5e3810 ---- EOF - GMER 2.1 ----