GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-19 16:41:05 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005c ST316081 rev.3.AA 149,05GB Running: 7zfycb2y.exe; Driver: C:\Users\Daniel\AppData\Local\Temp\kwrdrpog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000149a40470 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000149a40460 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000149a40370 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000149a40480 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000149a403e0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000149a40320 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000149a403b0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000149a40390 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000149a402e0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000149a40440 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000149a402d0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000149a40310 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000149a403c0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000149a403f0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000149a40230 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0xffffffffd2cae890} .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000149a40490 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000149a403a0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000149a402f0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000149a40350 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000149a40290 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000149a402b0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000149a403d0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000149a40330 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0xffffffffd2cae590} .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000149a40410 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000149a40240 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000149a401e0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000149a40250 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0xffffffffd2cae090} .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000149a404a0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000149a404b0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000149a40300 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000149a40360 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000149a402a0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000149a402c0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000149a40380 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000149a40340 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000149a40450 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000149a40260 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000149a40270 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000149a40400 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000149a401f0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000149a40210 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000149a40200 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000149a40420 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000149a40430 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000149a40220 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000149a40280 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\system32\wininit.exe[484] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000149a40470 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000149a40460 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000149a40370 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000149a40480 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000149a403e0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000149a40320 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000149a403b0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000149a40390 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000149a402e0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000149a40440 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000149a402d0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000149a40310 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000149a403c0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000149a403f0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000149a40230 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0xffffffffd2cae890} .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000149a40490 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000149a403a0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000149a402f0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000149a40350 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000149a40290 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000149a402b0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000149a403d0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000149a40330 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0xffffffffd2cae590} .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000149a40410 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000149a40240 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000149a401e0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000149a40250 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0xffffffffd2cae090} .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000149a404a0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000149a404b0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000149a40300 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000149a40360 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000149a402a0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000149a402c0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000149a40380 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000149a40340 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000149a40450 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000149a40260 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000149a40270 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000149a40400 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000149a401f0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000149a40210 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000149a40200 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000149a40420 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000149a40430 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000149a40220 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000149a40280 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0xffffffff892de890} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0xffffffff892de590} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0xffffffff892de090} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\services.exe[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\system32\svchost.exe[728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\system32\nvvsvc.exe[804] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[828] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007537a30a 1 byte [62] .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0xffffffff892de890} .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0xffffffff892de590} .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0xffffffff892de090} .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 00000001000704b0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[920] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0xffffffff892de890} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0xffffffff892de590} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0xffffffff892de090} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\svchost.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\system32\svchost.exe[416] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\System32\spoolsv.exe[1404] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0xffffffff892de890} .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0xffffffff892de590} .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0xffffffff892de090} .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1436] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1536] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007537a30a 1 byte [62] .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1616] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007537a30a 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1616] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000741d1a22 2 bytes [1D, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1616] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000741d1ad0 2 bytes [1D, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1616] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000741d1b08 2 bytes [1D, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1616] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000741d1bba 2 bytes [1D, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1616] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000741d1bda 2 bytes [1D, 74] .text C:\Windows\system32\svchost.exe[1692] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1736] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2200] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\system32\nvvsvc.exe[2208] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\Dwm.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\system32\taskhost.exe[2552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\Explorer.EXE[2652] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\Explorer.EXE[2652] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2120] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2108] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007537a30a 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074a61465 2 bytes [A6, 74] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074a614bb 2 bytes [A6, 74] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 0000000076ef03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 0000000076ef0400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2296] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2384] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007537a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074a61465 2 bytes [A6, 74] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074a614bb 2 bytes [A6, 74] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 000000010026075c .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001002603a4 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 0000000100260b14 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 0000000100260ecc .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 000000010026163c .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 0000000100261284 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001002619f4 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdbe6e00 5 bytes JMP 000007ff7dc01dac .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdbe6f2c 5 bytes JMP 000007ff7dc00ecc .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdbe7220 5 bytes JMP 000007ff7dc01284 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdbe739c 5 bytes JMP 000007ff7dc0163c .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdbe7538 5 bytes JMP 000007ff7dc019f4 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdbe75e8 5 bytes JMP 000007ff7dc003a4 .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdbe790c 5 bytes JMP 000007ff7dc0075c .text C:\Windows\system32\SearchIndexer.exe[3100] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdbe7ab4 5 bytes JMP 000007ff7dc00b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3248] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 000000010017075c .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001001703a4 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 0000000100170b14 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 0000000100170ecc .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 000000010017163c .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 0000000100171284 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001001719f4 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdbe6e00 5 bytes JMP 000007ff7dc01dac .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdbe6f2c 5 bytes JMP 000007ff7dc00ecc .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdbe7220 5 bytes JMP 000007ff7dc01284 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdbe739c 5 bytes JMP 000007ff7dc0163c .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdbe7538 5 bytes JMP 000007ff7dc019f4 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdbe75e8 5 bytes JMP 000007ff7dc003a4 .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdbe790c 5 bytes JMP 000007ff7dc0075c .text C:\Windows\System32\svchost.exe[3680] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdbe7ab4 5 bytes JMP 000007ff7dc00b14 .text C:\Windows\system32\DllHost.exe[4056] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdbe6e00 5 bytes JMP 000007ff7dc01dac .text C:\Windows\system32\DllHost.exe[4056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdbe6f2c 5 bytes JMP 000007ff7dc00ecc .text C:\Windows\system32\DllHost.exe[4056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdbe7220 5 bytes JMP 000007ff7dc01284 .text C:\Windows\system32\DllHost.exe[4056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdbe739c 5 bytes JMP 000007ff7dc0163c .text C:\Windows\system32\DllHost.exe[4056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdbe7538 5 bytes JMP 000007ff7dc019f4 .text C:\Windows\system32\DllHost.exe[4056] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdbe75e8 5 bytes JMP 000007ff7dc003a4 .text C:\Windows\system32\DllHost.exe[4056] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdbe790c 5 bytes JMP 000007ff7dc0075c .text C:\Windows\system32\DllHost.exe[4056] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdbe7ab4 5 bytes JMP 000007ff7dc00b14 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f3faa0 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f3fb38 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f3fc90 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f40018 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f41900 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f5c45a 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f61217 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007537a30a 1 byte [62] .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007546f0e6 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075473907 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075478364 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000754806b3 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075490efc 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000748d5181 5 bytes JMP 0000000100171014 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000748d5254 5 bytes JMP 0000000100170804 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000748d53d5 5 bytes JMP 0000000100170a08 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000748d54c2 5 bytes JMP 0000000100170c0c .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000748d55e2 5 bytes JMP 0000000100170e10 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000748d567c 5 bytes JMP 00000001001701f8 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000748d589f 5 bytes JMP 00000001001703fc .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe[2328] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000748d5a22 5 bytes JMP 0000000100170600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f3faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f3fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f3fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f40018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f41900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f5c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f61217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007537a30a 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074a61465 2 bytes [A6, 74] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074a614bb 2 bytes [A6, 74] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007546f0e6 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075473907 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075478364 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000754806b3 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075490efc 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000748d5181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000748d5254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000748d53d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000748d54c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000748d55e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000748d567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000748d589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4532] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000748d5a22 5 bytes JMP 0000000100110600 .text C:\Windows\System32\svchost.exe[4620] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdbe6e00 5 bytes JMP 000007ff7dc01dac .text C:\Windows\System32\svchost.exe[4620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdbe6f2c 5 bytes JMP 000007ff7dc00ecc .text C:\Windows\System32\svchost.exe[4620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdbe7220 5 bytes JMP 000007ff7dc01284 .text C:\Windows\System32\svchost.exe[4620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdbe739c 5 bytes JMP 000007ff7dc0163c .text C:\Windows\System32\svchost.exe[4620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdbe7538 5 bytes JMP 000007ff7dc019f4 .text C:\Windows\System32\svchost.exe[4620] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdbe75e8 5 bytes JMP 000007ff7dc003a4 .text C:\Windows\System32\svchost.exe[4620] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdbe790c 5 bytes JMP 000007ff7dc0075c .text C:\Windows\System32\svchost.exe[4620] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdbe7ab4 5 bytes JMP 000007ff7dc00b14 .text C:\Windows\system32\sppsvc.exe[4652] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdbe6e00 5 bytes JMP 000007ff7dc01dac .text C:\Windows\system32\sppsvc.exe[4652] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdbe6f2c 5 bytes JMP 000007ff7dc00ecc .text C:\Windows\system32\sppsvc.exe[4652] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdbe7220 5 bytes JMP 000007ff7dc01284 .text C:\Windows\system32\sppsvc.exe[4652] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdbe739c 5 bytes JMP 000007ff7dc0163c .text C:\Windows\system32\sppsvc.exe[4652] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdbe7538 5 bytes JMP 000007ff7dc019f4 .text C:\Windows\system32\sppsvc.exe[4652] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdbe75e8 5 bytes JMP 000007ff7dc003a4 .text C:\Windows\system32\sppsvc.exe[4652] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdbe790c 5 bytes JMP 000007ff7dc0075c .text C:\Windows\system32\sppsvc.exe[4652] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdbe7ab4 5 bytes JMP 000007ff7dc00b14 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 000000007fff075c .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 000000007fff03a4 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000076ef0470 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000076ef0460 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 000000007fff0b14 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 000000007fff0ecc .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000076ef0370 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000076ef0480 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 000000007fff163c .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000076ef0320 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 0000000076ef03b0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000076ef0390 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 0000000076ef02e0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000076ef0440 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 0000000076ef02d0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000076ef0310 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 0000000076ef03c0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 000000007fff1284 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 0000000076ef03f0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000076ef0230 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000076ef0490 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 0000000076ef03a0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 0000000076ef02f0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000076ef0350 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000076ef0290 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 0000000076ef02b0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 0000000076ef03d0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000076ef0330 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000076ef0410 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000076ef0240 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 0000000076ef01e0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000076ef0250 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 0000000076ef04a0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 0000000076ef04b0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000076ef0300 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000076ef0360 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 0000000076ef02a0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 0000000076ef02c0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000076ef0380 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000076ef0340 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000076ef0450 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000076ef0260 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000076ef0270 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 000000007fff19f4 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 0000000076ef01f0 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000076ef0210 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000076ef0200 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000076ef0420 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000076ef0430 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000076ef0220 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000076ef0280 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdbe6e00 5 bytes JMP 000007ff7dc01dac .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdbe6f2c 5 bytes JMP 000007ff7dc00ecc .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdbe7220 5 bytes JMP 000007ff7dc01284 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdbe739c 5 bytes JMP 000007ff7dc0163c .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdbe7538 5 bytes JMP 000007ff7dc019f4 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdbe75e8 5 bytes JMP 000007ff7dc003a4 .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdbe790c 5 bytes JMP 000007ff7dc0075c .text C:\Windows\system32\wuauclt.exe[4492] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdbe7ab4 5 bytes JMP 000007ff7dc00b14 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 000000010010075c .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001001003a4 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d913c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d91410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 0000000100100b14 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 0000000100100ecc .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d91570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d915c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 000000010010163c .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d91680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d916b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d916d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d91710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d91760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d91790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d917b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d917f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 0000000100101284 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d91840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d919a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d919a2 3 bytes {JMP 0xffffffff892de890} .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d91b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d91b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d91c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d91c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d91ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d91d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d91d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d91da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d91da2 3 bytes {JMP 0xffffffff892de590} .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d91e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d91e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d92100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d921c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d921c2 3 bytes {JMP 0xffffffff892de090} .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d921f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d92200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d92230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d92240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d922a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d922f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d92320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d92330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d92620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d92820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d92830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001001019f4 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d92a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d92a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d92a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d92ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d92af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d92b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d92be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdbe6e00 5 bytes JMP 000007ff7dc01dac .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdbe6f2c 5 bytes JMP 000007ff7dc00ecc .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdbe7220 5 bytes JMP 000007ff7dc01284 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdbe739c 5 bytes JMP 000007ff7dc0163c .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdbe7538 5 bytes JMP 000007ff7dc019f4 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdbe75e8 5 bytes JMP 000007ff7dc003a4 .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdbe790c 5 bytes JMP 000007ff7dc0075c .text C:\Windows\system32\AUDIODG.EXE[4684] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdbe7ab4 5 bytes JMP 000007ff7dc00b14 .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d63ae0 5 bytes JMP 000000010045075c .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d67a90 5 bytes JMP 00000001004503a4 .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d91490 5 bytes JMP 0000000100450b14 .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d914f0 5 bytes JMP 0000000100450ecc .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d915d0 5 bytes JMP 000000010045163c .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d91810 5 bytes JMP 0000000100451284 .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d92840 5 bytes JMP 00000001004519f4 .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000768ceecd 1 byte [62] .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdbe6e00 5 bytes JMP 000007ff7dc01dac .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdbe6f2c 5 bytes JMP 000007ff7dc00ecc .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdbe7220 5 bytes JMP 000007ff7dc01284 .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdbe739c 5 bytes JMP 000007ff7dc0163c .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdbe7538 5 bytes JMP 000007ff7dc019f4 .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdbe75e8 5 bytes JMP 000007ff7dc003a4 .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdbe790c 5 bytes JMP 000007ff7dc0075c .text C:\Windows\system32\DllHost.exe[1548] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdbe7ab4 5 bytes JMP 000007ff7dc00b14 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f3faa0 5 bytes JMP 0000000100030600 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f3fb38 5 bytes JMP 0000000100030804 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f3fc90 5 bytes JMP 0000000100030c0c .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f40018 5 bytes JMP 0000000100030a08 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f41900 5 bytes JMP 0000000100030e10 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f5c45a 5 bytes JMP 00000001000301f8 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f61217 5 bytes JMP 00000001000303fc .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007537a30a 1 byte [62] .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000748d5181 5 bytes JMP 0000000100241014 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000748d5254 5 bytes JMP 0000000100240804 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000748d53d5 5 bytes JMP 0000000100240a08 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000748d54c2 5 bytes JMP 0000000100240c0c .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000748d55e2 5 bytes JMP 0000000100240e10 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000748d567c 5 bytes JMP 00000001002401f8 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000748d589f 5 bytes JMP 00000001002403fc .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000748d5a22 5 bytes JMP 0000000100240600 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007546f0e6 5 bytes JMP 00000001002501f8 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075473907 5 bytes JMP 00000001002503fc .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075478364 5 bytes JMP 0000000100250600 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000754806b3 5 bytes JMP 0000000100250804 .text C:\Users\Daniel\Downloads\7zfycb2y.exe[952] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075490efc 5 bytes JMP 0000000100250a08 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [4620:4260] 000007fef1cd9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 79 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 440842 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x90 0xFD 0x6A 0x01 ... Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 79 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 440842 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 3 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x90 0xFD 0x6A 0x01 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@SIGN.MEDIA=4E40A8B1 ASSASSIN\x2019S CREED 3 Rip - Vizoo\setup.exe 1 ---- EOF - GMER 2.1 ----