GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-11 08:57:14 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD502HJ rev.1AJ100E5 465,76GB Running: 7m5j7tlm.exe; Driver: C:\Users\Henry\AppData\Local\Temp\pxldipow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 000000014a3e0460 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 000000014a3e0450 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 000000014a3e0370 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 000000014a3e0470 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 000000014a3e03e0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 000000014a3e0320 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 000000014a3e03b0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 000000014a3e0390 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 000000014a3e02e0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 000000014a3e02d0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 000000014a3e0310 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 000000014a3e03c0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 000000014a3e03f0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 000000014a3e0230 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0xffffffffd2c6e890} .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 000000014a3e0480 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 000000014a3e03a0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 000000014a3e02f0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 000000014a3e0350 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 000000014a3e0290 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 000000014a3e02b0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 000000014a3e03d0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 000000014a3e0330 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0xffffffffd2c6e590} .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 000000014a3e0410 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 000000014a3e0240 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 000000014a3e01e0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 000000014a3e0250 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0xffffffffd2c6e090} .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 000000014a3e0490 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 000000014a3e04a0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 000000014a3e0300 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 000000014a3e0360 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 000000014a3e02a0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 000000014a3e02c0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 000000014a3e0380 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 000000014a3e0340 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 000000014a3e0440 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 000000014a3e0260 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 000000014a3e0270 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 000000014a3e0400 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 000000014a3e01f0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 000000014a3e0210 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 000000014a3e0200 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 000000014a3e0420 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 000000014a3e0430 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 000000014a3e0220 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 000000014a3e0280 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\system32\wininit.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\system32\wininit.exe[676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 000000014a3e0460 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 000000014a3e0450 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 000000014a3e0370 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 000000014a3e0470 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 000000014a3e03e0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 000000014a3e0320 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 000000014a3e03b0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 000000014a3e0390 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 000000014a3e02e0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 000000014a3e02d0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 000000014a3e0310 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 000000014a3e03c0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 000000014a3e03f0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 000000014a3e0230 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0xffffffffd2c6e890} .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 000000014a3e0480 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 000000014a3e03a0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 000000014a3e02f0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 000000014a3e0350 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 000000014a3e0290 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 000000014a3e02b0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 000000014a3e03d0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 000000014a3e0330 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0xffffffffd2c6e590} .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 000000014a3e0410 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 000000014a3e0240 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 000000014a3e01e0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 000000014a3e0250 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0xffffffffd2c6e090} .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 000000014a3e0490 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 000000014a3e04a0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 000000014a3e0300 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 000000014a3e0360 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 000000014a3e02a0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 000000014a3e02c0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 000000014a3e0380 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 000000014a3e0340 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 000000014a3e0440 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 000000014a3e0260 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 000000014a3e0270 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 000000014a3e0400 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 000000014a3e01f0 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 000000014a3e0210 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 000000014a3e0200 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 000000014a3e0420 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 000000014a3e0430 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 000000014a3e0220 .text C:\Windows\system32\csrss.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 000000014a3e0280 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\system32\services.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\system32\services.exe[744] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\system32\lsass.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\system32\lsm.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 0000000100040460 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 0000000100040450 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 0000000100040370 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 0000000100040470 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000001000403e0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 0000000100040320 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000001000403b0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 0000000100040390 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000001000402e0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000001000402d0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 0000000100040310 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000001000403c0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000001000403f0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 0000000100040230 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0xffffffff888ce890} .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 0000000100040480 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000001000403a0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000001000402f0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 0000000100040350 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 0000000100040290 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000001000402b0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000001000403d0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 0000000100040330 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0xffffffff888ce590} .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 0000000100040410 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 0000000100040240 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000001000401e0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 0000000100040250 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0xffffffff888ce090} .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 0000000100040490 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000001000404a0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 0000000100040300 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 0000000100040360 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000001000402a0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000001000402c0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 0000000100040380 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 0000000100040340 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 0000000100040440 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 0000000100040260 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 0000000100040270 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 0000000100040400 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000001000401f0 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 0000000100040210 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 0000000100040200 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 0000000100040420 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 0000000100040430 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 0000000100040220 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 0000000100040280 .text C:\Windows\system32\winlogon.exe[804] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\system32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\system32\svchost.exe[920] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\system32\nvvsvc.exe[120] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[448] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075b1a30a 1 byte [62] .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\system32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\System32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\System32\svchost.exe[1072] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0xffffffff888fe890} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0xffffffff888fe590} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0xffffffff888fe090} .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 0000000100070280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1444] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\system32\nvvsvc.exe[1452] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\system32\Dwm.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\Explorer.EXE[1628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1720] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075b1a30a 1 byte [62] .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\system32\taskhost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Windows\System32\spoolsv.exe[1932] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0xffffffff888fe890} .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0xffffffff888fe590} .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0xffffffff888fe090} .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1556] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075b1a30a 1 byte [62] .text C:\Program Files (x86)\Ashampoo\Ashampoo HDD Control 2\AHDDC2_Service.exe[2072] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075b1a30a 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 00000000778d03e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000000778d0400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2124] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Windows\SysWOW64\ASGT.exe[2256] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075b1a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2296] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075b1a30a 1 byte [62] .text C:\Windows\system32\svchost.exe[2320] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077743ae0 5 bytes JMP 000000010030075c .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077747a90 5 bytes JMP 00000001003003a4 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 00000000778d0460 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 00000000778d0450 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077771490 3 bytes JMP 0000000100300b14 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 4 0000000077771494 1 byte [88] .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777714f0 3 bytes JMP 0000000100300ecc .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory + 4 00000000777714f4 1 byte [88] .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 00000000778d0370 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 00000000778d0470 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 000000010030163c .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 00000000778d0320 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000000778d03b0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 00000000778d0390 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000000778d02e0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000000778d02d0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 00000000778d0310 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000000778d03c0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077771810 3 bytes JMP 0000000100301284 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 4 0000000077771814 1 byte [88] .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000000778d03f0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 00000000778d0230 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 00000000778d0480 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000000778d03a0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000000778d02f0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 00000000778d0350 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 00000000778d0290 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000000778d02b0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000000778d03d0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 00000000778d0330 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 00000000778d0410 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 00000000778d0240 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000000778d01e0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 00000000778d0250 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 00000000778d0490 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000000778d04a0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 00000000778d0300 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 00000000778d0360 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000000778d02a0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000000778d02c0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 00000000778d0380 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 00000000778d0340 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 00000000778d0440 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 00000000778d0260 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 00000000778d0270 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 3 bytes JMP 00000001003019f4 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 4 0000000077772844 1 byte [88] .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000000778d01f0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 00000000778d0210 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 00000000778d0200 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 00000000778d0420 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 00000000778d0430 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 00000000778d0220 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 00000000778d0280 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe3b6e00 5 bytes JMP 000007ff7e3d1dac .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe3b6f2c 5 bytes JMP 000007ff7e3d0ecc .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe3b7220 5 bytes JMP 000007ff7e3d1284 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe3b739c 5 bytes JMP 000007ff7e3d163c .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe3b7538 5 bytes JMP 000007ff7e3d19f4 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3b75e8 5 bytes JMP 000007ff7e3d03a4 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe3b790c 5 bytes JMP 000007ff7e3d075c .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2508] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe3b7ab4 5 bytes JMP 000007ff7e3d0b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2516] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075b1a30a 1 byte [62] .text C:\Windows\system32\svchost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe3b6e00 5 bytes JMP 000007ff7e3d1dac .text C:\Windows\system32\svchost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe3b6f2c 5 bytes JMP 000007ff7e3d0ecc .text C:\Windows\system32\svchost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe3b7220 5 bytes JMP 000007ff7e3d1284 .text C:\Windows\system32\svchost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe3b739c 5 bytes JMP 000007ff7e3d163c .text C:\Windows\system32\svchost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe3b7538 5 bytes JMP 000007ff7e3d19f4 .text C:\Windows\system32\svchost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3b75e8 5 bytes JMP 000007ff7e3d03a4 .text C:\Windows\system32\svchost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe3b790c 5 bytes JMP 000007ff7e3d075c .text C:\Windows\system32\svchost.exe[2780] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe3b7ab4 5 bytes JMP 000007ff7e3d0b14 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe3b6e00 5 bytes JMP 000007ff7e3d1dac .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe3b6f2c 5 bytes JMP 000007ff7e3d0ecc .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe3b7220 5 bytes JMP 000007ff7e3d1284 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe3b739c 5 bytes JMP 000007ff7e3d163c .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe3b7538 5 bytes JMP 000007ff7e3d19f4 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3b75e8 5 bytes JMP 000007ff7e3d03a4 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe3b790c 5 bytes JMP 000007ff7e3d075c .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe3b7ab4 5 bytes JMP 000007ff7e3d0b14 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077743ae0 5 bytes JMP 000000010018075c .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077747a90 5 bytes JMP 00000001001803a4 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777713c0 5 bytes JMP 0000000100070460 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077771410 5 bytes JMP 0000000100070450 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077771490 5 bytes JMP 0000000100180b14 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777714f0 5 bytes JMP 0000000100180ecc .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077771570 5 bytes JMP 0000000100070370 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777715c0 5 bytes JMP 0000000100070470 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777715d0 5 bytes JMP 000000010018163c .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077771680 5 bytes JMP 0000000100070320 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777716b0 5 bytes JMP 00000001000703b0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777716d0 5 bytes JMP 0000000100070390 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077771710 5 bytes JMP 00000001000702e0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077771790 5 bytes JMP 00000001000702d0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777717b0 5 bytes JMP 0000000100070310 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777717f0 5 bytes JMP 00000001000703c0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077771810 5 bytes JMP 0000000100181284 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077771840 5 bytes JMP 00000001000703f0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777719a0 1 byte JMP 0000000100070230 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777719a2 3 bytes {JMP 0xffffffff888fe890} .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077771b60 5 bytes JMP 0000000100070480 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077771b90 5 bytes JMP 00000001000703a0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077771c70 5 bytes JMP 00000001000702f0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077771c80 5 bytes JMP 0000000100070350 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077771ce0 5 bytes JMP 0000000100070290 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077771d70 5 bytes JMP 00000001000702b0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077771d90 5 bytes JMP 00000001000703d0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077771da0 1 byte JMP 0000000100070330 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077771da2 3 bytes {JMP 0xffffffff888fe590} .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077771e10 5 bytes JMP 0000000100070410 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077771e40 5 bytes JMP 0000000100070240 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077772100 5 bytes JMP 00000001000701e0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777721c0 1 byte JMP 0000000100070250 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777721c2 3 bytes {JMP 0xffffffff888fe090} .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777721f0 5 bytes JMP 0000000100070490 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077772200 5 bytes JMP 00000001000704a0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077772230 5 bytes JMP 0000000100070300 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077772240 5 bytes JMP 0000000100070360 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777722a0 5 bytes JMP 00000001000702a0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777722f0 5 bytes JMP 00000001000702c0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077772320 5 bytes JMP 0000000100070380 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077772330 5 bytes JMP 0000000100070340 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077772620 5 bytes JMP 0000000100070440 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077772820 5 bytes JMP 0000000100070260 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077772830 5 bytes JMP 0000000100070270 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077772840 5 bytes JMP 00000001001819f4 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077772a00 5 bytes JMP 00000001000701f0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077772a10 5 bytes JMP 0000000100070210 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077772a80 5 bytes JMP 0000000100070200 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077772ae0 5 bytes JMP 0000000100070420 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077772af0 5 bytes JMP 0000000100070430 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077772b00 5 bytes JMP 0000000100070220 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077772be0 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe3b6e00 5 bytes JMP 000007ff7e3d1dac .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe3b6f2c 5 bytes JMP 000007ff7e3d0ecc .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe3b7220 5 bytes JMP 000007ff7e3d1284 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe3b739c 5 bytes JMP 000007ff7e3d163c .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe3b7538 5 bytes JMP 000007ff7e3d19f4 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3b75e8 5 bytes JMP 000007ff7e3d03a4 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe3b790c 5 bytes JMP 000007ff7e3d075c .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe[3172] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe3b7ab4 5 bytes JMP 000007ff7e3d0b14 .text C:\Windows\system32\AUDIODG.EXE[3900] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007755eecd 1 byte [62] .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007791faa0 5 bytes JMP 0000000100030600 .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007791fb38 5 bytes JMP 0000000100030804 .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007791fc90 5 bytes JMP 0000000100030c0c .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077920018 5 bytes JMP 0000000100030a08 .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077921900 5 bytes JMP 0000000100030e10 .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007793c45a 5 bytes JMP 00000001000301f8 .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077941217 5 bytes JMP 00000001000303fc .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075b1a30a 1 byte [62] .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000770e5181 5 bytes JMP 0000000100241014 .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000770e5254 5 bytes JMP 0000000100240804 .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000770e53d5 5 bytes JMP 0000000100240a08 .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000770e54c2 5 bytes JMP 0000000100240c0c .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000770e55e2 5 bytes JMP 0000000100240e10 .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000770e567c 5 bytes JMP 00000001002401f8 .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000770e589f 5 bytes JMP 00000001002403fc .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000770e5a22 5 bytes JMP 0000000100240600 .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076adee09 5 bytes JMP 00000001002501f8 .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076ae3982 5 bytes JMP 00000001002503fc .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ae7603 5 bytes JMP 0000000100250804 .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ae835c 5 bytes JMP 0000000100250600 .text C:\Users\Henry\Downloads\7m5j7tlm.exe[1216] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076aff52b 5 bytes JMP 0000000100250a08 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@DisplayName avast! TDI Firewall driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Description avast! TDI Firewall driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 34 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 95320 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk1\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ImagePath "C:\Program Files\AVAST Software\Avast\afwServ.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Description Implements main functionality for avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@DisplayName avast! TDI Firewall driver Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswFW@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Description avast! TDI Firewall driver Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 34 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 95320 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk1\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 3 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ImagePath "C:\Program Files\AVAST Software\Avast\afwServ.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Description Implements main functionality for avast! Firewall Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{05055CBA-D3C0-F33A-77F2-EEDAE4699789} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{05055CBA-D3C0-F33A-77F2-EEDAE4699789}@mandfmaoiafmoampaidhjehjpl 0x6F 0x61 0x6F 0x66 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{05055CBA-D3C0-F33A-77F2-EEDAE4699789}@abodcmgialofkcegcfjngdknibpgoogcoa 0x61 0x62 0x6D 0x65 ... ---- EOF - GMER 2.1 ----