GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-11 14:56:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EZRX-00A8LB0 rev.01.01A01 931,51GB Running: gmer.exe; Driver: C:\Users\Toradora\AppData\Local\Temp\uwldrpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 000000014a0b0460 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 000000014a0b0450 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 000000014a0b0370 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 000000014a0b0470 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 000000014a0b03e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 000000014a0b0320 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 000000014a0b03b0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 000000014a0b0390 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 000000014a0b02e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 000000014a0b02d0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 000000014a0b0310 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 000000014a0b03c0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 000000014a0b03f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 000000014a0b0230 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0xffffffffd313e890} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 000000014a0b0480 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 000000014a0b03a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 000000014a0b02f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 000000014a0b0350 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 000000014a0b0290 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 000000014a0b02b0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 000000014a0b03d0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 000000014a0b0330 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0xffffffffd313e590} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 000000014a0b0410 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 000000014a0b0240 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 000000014a0b01e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 000000014a0b0250 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0xffffffffd313e090} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 000000014a0b0490 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 000000014a0b04a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 000000014a0b0300 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 000000014a0b0360 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 000000014a0b02a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 000000014a0b02c0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 000000014a0b0380 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 000000014a0b0340 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 000000014a0b0440 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 000000014a0b0260 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 000000014a0b0270 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 000000014a0b0400 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 000000014a0b01f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 000000014a0b0210 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 000000014a0b0200 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 000000014a0b0420 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 000000014a0b0430 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 000000014a0b0220 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 000000014a0b0280 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\wininit.exe[572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 000000014a0b0460 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 000000014a0b0450 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 000000014a0b0370 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 000000014a0b0470 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 000000014a0b03e0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 000000014a0b0320 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 000000014a0b03b0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 000000014a0b0390 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 000000014a0b02e0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 000000014a0b02d0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 000000014a0b0310 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 000000014a0b03c0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 000000014a0b03f0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 000000014a0b0230 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0xffffffffd313e890} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 000000014a0b0480 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 000000014a0b03a0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 000000014a0b02f0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 000000014a0b0350 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 000000014a0b0290 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 000000014a0b02b0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 000000014a0b03d0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 000000014a0b0330 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0xffffffffd313e590} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 000000014a0b0410 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 000000014a0b0240 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 000000014a0b01e0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 000000014a0b0250 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0xffffffffd313e090} .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 000000014a0b0490 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 000000014a0b04a0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 000000014a0b0300 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 000000014a0b0360 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 000000014a0b02a0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 000000014a0b02c0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 000000014a0b0380 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 000000014a0b0340 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 000000014a0b0440 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 000000014a0b0260 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 000000014a0b0270 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 000000014a0b0400 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 000000014a0b01f0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 000000014a0b0210 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 000000014a0b0200 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 000000014a0b0420 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 000000014a0b0430 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 000000014a0b0220 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 000000014a0b0280 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\services.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\services.exe[636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\lsass.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\lsm.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\nvvsvc.exe[896] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0xffffffff890fe890} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0xffffffff890fe590} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0xffffffff890fe090} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[116] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\System32\svchost.exe[364] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[416] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1424] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\nvvsvc.exe[1436] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1744] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757ca322 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000770d1465 2 bytes [0D, 77] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770d14bb 2 bytes [0D, 77] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1888] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757ca322 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000770d1465 2 bytes [0D, 77] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770d14bb 2 bytes [0D, 77] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1176] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757ca322 1 byte [62] .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\taskhost.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\Explorer.EXE[2320] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\Explorer.EXE[2320] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\Dwm.exe[2420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\svchost.exe[2256] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2992] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757ca322 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000770d1465 2 bytes [0D, 77] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770d14bb 2 bytes [0D, 77] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2796] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 0000000100070460 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 0000000100070450 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 0000000100070370 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 0000000100070470 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000001000703e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 0000000100070320 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000001000703b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 0000000100070390 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000001000702e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000001000702d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 0000000100070310 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000001000703c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000001000703f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 0000000100070230 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0xffffffff890fe890} .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 0000000100070480 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000001000703a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000001000702f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 0000000100070350 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 0000000100070290 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000001000702b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000001000703d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 0000000100070330 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0xffffffff890fe590} .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 0000000100070410 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 0000000100070240 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000001000701e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 0000000100070250 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0xffffffff890fe090} .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 0000000100070490 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000001000704a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 0000000100070300 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 0000000100070360 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000001000702a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000001000702c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 0000000100070380 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 0000000100070340 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 0000000100070440 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 0000000100070260 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 0000000100070270 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 0000000100070400 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000001000701f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 0000000100070210 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 0000000100070200 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 0000000100070420 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 0000000100070430 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 0000000100070220 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 0000000100070280 .text C:\Program Files\Windows Sidebar\sidebar.exe[2956] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3060] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000757a87c9 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3060] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757ca322 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000770d1465 2 bytes [0D, 77] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770d14bb 2 bytes [0D, 77] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\SearchIndexer.exe[3452] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3120] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\wbem\wmiprvse.exe[3424] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[4420] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4968] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757ca322 1 byte [62] .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0xffffffff890fe890} .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0xffffffff890fe590} .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0xffffffff890fe090} .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[3968] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4536] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757ca322 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 0000000100070460 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 0000000100070450 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 0000000100070370 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 0000000100070470 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000001000703e0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 0000000100070320 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000001000703b0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 0000000100070390 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000001000702e0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000001000702d0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 0000000100070310 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000001000703c0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000001000703f0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 0000000100070230 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0xffffffff890fe890} .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 0000000100070480 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000001000703a0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000001000702f0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 0000000100070350 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 0000000100070290 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000001000702b0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000001000703d0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 0000000100070330 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0xffffffff890fe590} .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 0000000100070410 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 0000000100070240 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000001000701e0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 0000000100070250 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0xffffffff890fe090} .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 0000000100070490 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000001000704a0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 0000000100070300 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 0000000100070360 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000001000702a0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000001000702c0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 0000000100070380 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 0000000100070340 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 0000000100070440 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 0000000100070260 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 0000000100070270 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 0000000100070400 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000001000701f0 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 0000000100070210 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 0000000100070200 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 0000000100070420 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 0000000100070430 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 0000000100070220 .text C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.101\nacl64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f713c0 5 bytes JMP 00000000770d0460 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f71410 5 bytes JMP 00000000770d0450 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f71570 5 bytes JMP 00000000770d0370 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f715c0 5 bytes JMP 00000000770d0470 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f715d0 5 bytes JMP 00000000770d03e0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f71680 5 bytes JMP 00000000770d0320 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f716b0 5 bytes JMP 00000000770d03b0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f716d0 5 bytes JMP 00000000770d0390 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f71710 5 bytes JMP 00000000770d02e0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f71790 5 bytes JMP 00000000770d02d0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f717b0 5 bytes JMP 00000000770d0310 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f717f0 5 bytes JMP 00000000770d03c0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f71840 5 bytes JMP 00000000770d03f0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f719a0 1 byte JMP 00000000770d0230 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f71b60 5 bytes JMP 00000000770d0480 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f71b90 5 bytes JMP 00000000770d03a0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f71c70 5 bytes JMP 00000000770d02f0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f71c80 5 bytes JMP 00000000770d0350 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f71ce0 5 bytes JMP 00000000770d0290 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f71d70 5 bytes JMP 00000000770d02b0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f71d90 5 bytes JMP 00000000770d03d0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f71da0 1 byte JMP 00000000770d0330 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f71e10 5 bytes JMP 00000000770d0410 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f71e40 5 bytes JMP 00000000770d0240 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f72100 5 bytes JMP 00000000770d01e0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f721c0 1 byte JMP 00000000770d0250 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f721f0 5 bytes JMP 00000000770d0490 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f72200 5 bytes JMP 00000000770d04a0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f72230 5 bytes JMP 00000000770d0300 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f72240 5 bytes JMP 00000000770d0360 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f722a0 5 bytes JMP 00000000770d02a0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f722f0 5 bytes JMP 00000000770d02c0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f72320 5 bytes JMP 00000000770d0380 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f72330 5 bytes JMP 00000000770d0340 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f72620 5 bytes JMP 00000000770d0440 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f72820 5 bytes JMP 00000000770d0260 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f72830 5 bytes JMP 00000000770d0270 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f72840 5 bytes JMP 00000000770d0400 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f72a00 5 bytes JMP 00000000770d01f0 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f72a10 5 bytes JMP 00000000770d0210 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f72a80 5 bytes JMP 00000000770d0200 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f72ae0 5 bytes JMP 00000000770d0420 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f72af0 5 bytes JMP 00000000770d0430 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f72b00 5 bytes JMP 00000000770d0220 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f72be0 5 bytes JMP 00000000770d0280 .text C:\Windows\system32\AUDIODG.EXE[5044] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076d5eecd 1 byte [62] .text C:\Users\Toradora\Desktop\gmer.exe[4416] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757ca322 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4312:4364] 0000000074cc7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4312:4368] 0000000068030cb3 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4312:4408] 00000000771441f3 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4312:3612] 0000000077146679 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4312:2948] 0000000077146679 ---- EOF - GMER 2.1 ----