GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-29 14:46:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-4 WDC_WD10EADS-11M2B2 rev.80.00A80 931,51GB Running: ff30ghz9.exe; Driver: C:\Users\Erni\AppData\Local\Temp\aftcyaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000149980460 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000149980450 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000149980370 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000149980470 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000001499803e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000149980320 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000001499803b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000149980390 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000001499802e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000001499802d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000149980310 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000001499803c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000001499803f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000149980230 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000149980480 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000001499803a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000001499802f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000149980350 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000149980290 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000001499802b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000001499803d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000149980330 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000149980410 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000149980240 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000001499801e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000149980250 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000149980490 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000001499804a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000149980300 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000149980360 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000001499802a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000001499802c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000149980380 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000149980340 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000149980440 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000149980260 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000149980270 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000149980400 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000001499801f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000149980210 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000149980200 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000149980420 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000149980430 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000149980220 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000149980280 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000149980460 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000149980450 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000149980370 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000149980470 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000001499803e0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000149980320 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000001499803b0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000149980390 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000001499802e0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000001499802d0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000149980310 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000001499803c0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000001499803f0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000149980230 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000149980480 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000001499803a0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000001499802f0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000149980350 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000149980290 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000001499802b0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000001499803d0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000149980330 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000149980410 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000149980240 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000001499801e0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000149980250 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000149980490 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000001499804a0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000149980300 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000149980360 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000001499802a0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000001499802c0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000149980380 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000149980340 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000149980440 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000149980260 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000149980270 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000149980400 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000001499801f0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000149980210 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000149980200 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000149980420 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000149980430 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000149980220 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000149980280 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\system32\winlogon.exe[528] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\system32\services.exe[576] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\system32\svchost.exe[688] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\system32\nvvsvc.exe[772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\system32\svchost.exe[812] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\System32\svchost.exe[908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\system32\svchost.exe[296] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1028] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\system32\nvvsvc.exe[1036] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\system32\taskhost.exe[1324] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\system32\Dwm.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\Explorer.EXE[1452] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1468] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007715a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1468] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000766bcfca 5 bytes JMP 0000000172d546b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000770e1465 2 bytes [0E, 77] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770e14bb 2 bytes [0E, 77] .text ... * 2 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000100070460 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000100070450 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000100070370 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000100070470 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000001000703e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000100070320 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000001000703b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000100070390 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000001000702d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000100070310 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000001000703c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000100070230 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000100070480 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000100070350 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000100070290 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000100070330 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000100070410 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000100070240 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000100070250 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000100070490 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000100070300 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000100070360 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000001000702a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000001000702c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000100070380 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000100070340 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000100070440 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000100070260 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000100070270 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000100070400 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000100070210 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000100070200 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000100070420 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000100070430 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000100070280 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe[1656] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Program Files\Windows Sidebar\sidebar.exe[1920] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1096] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe[1100] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1852] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007715a2ba 1 byte [62] .text C:\Program Files (x86)\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe[1676] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007715a2ba 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007715a2ba 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000766bcfca 5 bytes JMP 0000000172d546b0 .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000737d1a22 2 bytes [7D, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000737d1ad0 2 bytes [7D, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000737d1b08 2 bytes [7D, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000737d1bba 2 bytes [7D, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 754 00000000737d1bd2 2 bytes CALL 72d59a10 c:\progra~3\bitguard\261694~1.246\{c16c1~1\bitguard.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000770e1465 2 bytes [0E, 77] .text C:\Windows\SysWOW64\PnkBstrA.exe[1004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770e14bb 2 bytes [0E, 77] .text ... * 2 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\System32\svchost.exe[2228] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text C:\Windows\ehome\ehmsas.exe[3064] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007758eecd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2080] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007715a2ba 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2080] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000766bcfca 5 bytes JMP 0000000172d546b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000770e1465 2 bytes [0E, 77] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770e14bb 2 bytes [0E, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2780] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007715a2ba 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2780] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000766bcfca 5 bytes JMP 0000000172d546b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000770e1465 2 bytes [0E, 77] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770e14bb 2 bytes [0E, 77] .text ... * 2 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776a1360 5 bytes JMP 0000000077800460 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000776a13b0 5 bytes JMP 0000000077800450 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1510 5 bytes JMP 0000000077800370 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776a1560 5 bytes JMP 0000000077800470 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776a1570 5 bytes JMP 00000000778003e0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000776a1620 5 bytes JMP 0000000077800320 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776a1650 5 bytes JMP 00000000778003b0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000776a1670 5 bytes JMP 0000000077800390 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000776a16b0 5 bytes JMP 00000000778002e0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000776a1730 5 bytes JMP 00000000778002d0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776a1750 5 bytes JMP 0000000077800310 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776a1790 5 bytes JMP 00000000778003c0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000776a17e0 5 bytes JMP 00000000778003f0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776a1940 5 bytes JMP 0000000077800230 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000776a1b00 5 bytes JMP 0000000077800480 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000776a1b30 5 bytes JMP 00000000778003a0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000776a1c10 5 bytes JMP 00000000778002f0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000776a1c20 5 bytes JMP 0000000077800350 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000776a1c80 5 bytes JMP 0000000077800290 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000776a1d10 5 bytes JMP 00000000778002b0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000776a1d30 5 bytes JMP 00000000778003d0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000776a1d40 5 bytes JMP 0000000077800330 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776a1db0 5 bytes JMP 0000000077800410 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776a1de0 5 bytes JMP 0000000077800240 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776a20a0 5 bytes JMP 00000000778001e0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776a2160 5 bytes JMP 0000000077800250 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776a2190 5 bytes JMP 0000000077800490 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776a21a0 5 bytes JMP 00000000778004a0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776a21d0 5 bytes JMP 0000000077800300 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776a21e0 5 bytes JMP 0000000077800360 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776a2240 5 bytes JMP 00000000778002a0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776a2290 5 bytes JMP 00000000778002c0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a22c0 5 bytes JMP 0000000077800380 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776a22d0 5 bytes JMP 0000000077800340 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776a25c0 5 bytes JMP 0000000077800440 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000776a27c0 5 bytes JMP 0000000077800260 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000776a27d0 5 bytes JMP 0000000077800270 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776a27e0 5 bytes JMP 0000000077800400 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000776a29a0 5 bytes JMP 00000000778001f0 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000776a29b0 5 bytes JMP 0000000077800210 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000776a2a20 5 bytes JMP 0000000077800200 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000776a2a80 5 bytes JMP 0000000077800420 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000776a2a90 5 bytes JMP 0000000077800430 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000776a2aa0 5 bytes JMP 0000000077800220 .text C:\Windows\system32\taskeng.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000776a2b80 5 bytes JMP 0000000077800280 .text O:\ff30ghz9.exe[2776] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007715a2ba 1 byte [62] .text O:\ff30ghz9.exe[2776] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000766bcfca 5 bytes JMP 0000000172d546b0 .text O:\ff30ghz9.exe[2776] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000770e1465 2 bytes [0E, 77] .text O:\ff30ghz9.exe[2776] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770e14bb 2 bytes [0E, 77] .text ... * 2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@clbcatq clbcatq.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@ole32 ole32.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@advapi32 advapi32.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@COMDLG32 COMDLG32.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@DllDirectory %SystemRoot%\system32 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@DllDirectory32 %SystemRoot%\syswow64 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@gdi32 gdi32.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@IERTUTIL IERTUTIL.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@IMAGEHLP IMAGEHLP.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@IMM32 IMM32.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@kernel32 kernel32.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@LPK LPK.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@MSCTF MSCTF.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@MSVCRT MSVCRT.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@NORMALIZ NORMALIZ.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@NSI NSI.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@OLEAUT32 OLEAUT32.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@PSAPI PSAPI.DLL Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@rpcrt4 rpcrt4.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@sechost sechost.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@Setupapi Setupapi.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@SHELL32 SHELL32.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@SHLWAPI SHLWAPI.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@URLMON URLMON.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@user32 user32.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@USP10 USP10.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@WININET WININET.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@WLDAP32 WLDAP32.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@WS2_32 WS2_32.dll Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs@DifxApi difxapi.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@clbcatq clbcatq.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@ole32 ole32.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@advapi32 advapi32.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@COMDLG32 COMDLG32.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@DllDirectory %SystemRoot%\system32 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@DllDirectory32 %SystemRoot%\syswow64 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@gdi32 gdi32.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@IERTUTIL IERTUTIL.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@IMAGEHLP IMAGEHLP.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@IMM32 IMM32.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@kernel32 kernel32.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@LPK LPK.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@MSCTF MSCTF.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@MSVCRT MSVCRT.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@NORMALIZ NORMALIZ.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@NSI NSI.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@OLEAUT32 OLEAUT32.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@PSAPI PSAPI.DLL Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@rpcrt4 rpcrt4.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@sechost sechost.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@Setupapi Setupapi.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@SHELL32 SHELL32.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@SHLWAPI SHLWAPI.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@URLMON URLMON.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@user32 user32.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@USP10 USP10.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@WININET WININET.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@WLDAP32 WLDAP32.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@WS2_32 WS2_32.dll Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs@DifxApi difxapi.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 56 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 441374 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@clbcatq clbcatq.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@ole32 ole32.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@advapi32 advapi32.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@COMDLG32 COMDLG32.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@DllDirectory %SystemRoot%\system32 Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@DllDirectory32 %SystemRoot%\syswow64 Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@gdi32 gdi32.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@IERTUTIL IERTUTIL.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@IMAGEHLP IMAGEHLP.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@IMM32 IMM32.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@kernel32 kernel32.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@LPK LPK.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@MSCTF MSCTF.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@MSVCRT MSVCRT.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@NORMALIZ NORMALIZ.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@NSI NSI.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@OLEAUT32 OLEAUT32.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@PSAPI PSAPI.DLL Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@rpcrt4 rpcrt4.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@sechost sechost.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@Setupapi Setupapi.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@SHELL32 SHELL32.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@SHLWAPI SHLWAPI.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@URLMON URLMON.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@user32 user32.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@USP10 USP10.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@WININET WININET.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@WLDAP32 WLDAP32.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@WS2_32 WS2_32.dll Reg HKLM\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs@DifxApi difxapi.dll Reg HKLM\SYSTEM\ControlSet004\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet004\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet004\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet004\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet004\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet004\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet004\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet004\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet004\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet004\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet004\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet004\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet004\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet004\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet004\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet004\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet004\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet004\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet004\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet004\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet004\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet004\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet004\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet004\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet004\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet004\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet004\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet004\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet004\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet004\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet004\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet004\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet004\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet004\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet004\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet004\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet004\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet004\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\aswRvrt\Parameters@BootCounter 56 Reg HKLM\SYSTEM\ControlSet004\services\aswRvrt\Parameters@TickCounter 441374 Reg HKLM\SYSTEM\ControlSet004\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\ControlSet004\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet004\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet004\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet004\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet004\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet004\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet004\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet004\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet004\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet004\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet004\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet004\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet004\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet004\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet004\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet004\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet004\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet004\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet004\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet004\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet004\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet004\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet004\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet004\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet004\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet004\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet004\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet004\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet004\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet004\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet004\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet004\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet004\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet004\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet004\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet004\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet004\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet004\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet004\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet004\services\avast! Antivirus@Start 4 Reg HKLM\SYSTEM\ControlSet004\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet004\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet004\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet004\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet004\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet004\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet004\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet004\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet004\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- EOF - GMER 2.1 ----