GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-05 20:55:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 SAMSUNG_HD642JJ rev.1AA01118 596,17GB Running: 0yzgukkq.exe; Driver: C:\Users\Piotr\AppData\Local\Temp\awrdrkog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002da9000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002da902f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000100040460 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000100040450 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000100040370 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000100040470 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000001000403e0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000100040320 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000001000403b0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000100040390 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000001000402e0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000001000402d0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000100040310 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000001000403c0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000001000403f0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000100040230 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000100040480 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000001000403a0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000001000402f0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000100040350 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000100040290 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000001000402b0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000001000403d0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000100040330 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000100040410 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000100040240 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000001000401e0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000100040250 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000100040490 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000001000404a0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000100040300 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000100040360 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000001000402a0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000001000402c0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000100040380 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000100040340 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000100040440 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000100040260 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000100040270 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000100040400 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000001000401f0 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000100040210 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000100040200 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000100040420 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000100040430 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000100040220 .text C:\Windows\system32\csrss.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000100040280 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000100040460 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000100040450 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000100040370 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000100040470 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000001000403e0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000100040320 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000001000403b0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000100040390 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000001000402e0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000001000402d0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000100040310 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000001000403c0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000001000403f0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000100040230 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000100040480 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000001000403a0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000001000402f0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000100040350 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000100040290 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000001000402b0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000001000403d0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000100040330 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000100040410 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000100040240 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000001000401e0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000100040250 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000100040490 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000001000404a0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000100040300 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000100040360 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000001000402a0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000001000402c0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000100040380 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000100040340 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000100040440 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000100040260 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000100040270 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000100040400 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000001000401f0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000100040210 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000100040200 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000100040420 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000100040430 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000100040220 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000100040280 .text C:\Windows\system32\wininit.exe[500] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 00000001498d0460 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 00000001498d0450 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 00000001498d0370 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 00000001498d0470 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000001498d03e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 00000001498d0320 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000001498d03b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 00000001498d0390 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000001498d02e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000001498d02d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 00000001498d0310 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000001498d03c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000001498d03f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 00000001498d0230 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 00000001498d0480 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000001498d03a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000001498d02f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 00000001498d0350 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 00000001498d0290 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000001498d02b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000001498d03d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 00000001498d0330 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 00000001498d0410 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 00000001498d0240 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000001498d01e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 00000001498d0250 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 00000001498d0490 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000001498d04a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 00000001498d0300 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 00000001498d0360 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000001498d02a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000001498d02c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 00000001498d0380 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 00000001498d0340 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 00000001498d0440 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 00000001498d0260 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 00000001498d0270 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 00000001498d0400 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000001498d01f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 00000001498d0210 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 00000001498d0200 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 00000001498d0420 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 00000001498d0430 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 00000001498d0220 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 00000001498d0280 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\system32\services.exe[556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\system32\winlogon.exe[608] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\system32\lsm.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\system32\svchost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\system32\svchost.exe[728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000100060460 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000100060450 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000100060370 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000100060470 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000100060320 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000001000603b0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000100060390 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000100060310 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000001000603c0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000100060230 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000100060480 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000001000603a0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000100060350 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000100060290 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000001000603d0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000100060330 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000100060410 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000100060240 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000001000601e0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000100060250 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000100060490 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000001000604a0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000100060300 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000100060360 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000001000602a0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000001000602c0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000100060380 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000100060340 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000100060440 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000100060260 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000100060270 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000100060400 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000001000601f0 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000100060210 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000100060200 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000100060420 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000100060430 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000100060220 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000100060280 .text C:\Windows\system32\nvvsvc.exe[808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[832] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007556a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\System32\svchost.exe[980] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[300] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000100070460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000100070450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000100070370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000100070470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000001000703e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000100070320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000001000703b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000100070390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000001000702e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000001000702d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000100070310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000001000703c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000001000703f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000100070230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000100070480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000001000703a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000001000702f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000100070350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000100070290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000001000702b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000001000703d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000100070330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000100070410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000100070240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000001000701e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000100070250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000100070490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000001000704a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000100070300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000100070360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000001000702a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000001000702c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000100070380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000100070340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000100070440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000100070260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000100070270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000100070400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000001000701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000100070210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000100070200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000100070420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000100070430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000100070220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000100070280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\system32\nvvsvc.exe[1268] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\system32\Dwm.exe[1460] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\Explorer.EXE[1484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\Explorer.EXE[1484] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1580] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\system32\taskhost.exe[1804] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\System32\spoolsv.exe[1920] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\system32\svchost.exe[1960] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1444] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007556a2ba 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2220] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007556a2ba 1 byte [62] .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\system32\rundll32.exe[2512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Program Files\Zune\ZuneLauncher.exe[2300] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[2996] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2916] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3120] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007556a2ba 1 byte [62] .text C:\Program Files (x86)\ChomikBox\chomikbox.exe[3560] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007556a2ba 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\system32\conhost.exe[3648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3712] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007556a2ba 1 byte [62] .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\System32\svchost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\totalcmd\TOTALCMD64.EXE[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[720] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007770eecd 1 byte [62] .text C:\Users\Piotr\Downloads\OTL.exe[3504] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007556a2ba 1 byte [62] .text C:\Users\Piotr\Downloads\OTL.exe[3504] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075521465 2 bytes [52, 75] .text C:\Users\Piotr\Downloads\OTL.exe[3504] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000755214bb 2 bytes [52, 75] .text ... * 2 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Users\Piotr\AppData\Roaming\foobar2000\user-components\foo_out_wasapi\WASAPIHost64.exe[5040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077821360 5 bytes JMP 0000000077980460 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778213b0 5 bytes JMP 0000000077980450 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes JMP 0000000077980370 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077821560 5 bytes JMP 0000000077980470 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077821570 5 bytes JMP 00000000779803e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077821620 5 bytes JMP 0000000077980320 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077821650 5 bytes JMP 00000000779803b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077821670 5 bytes JMP 0000000077980390 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778216b0 5 bytes JMP 00000000779802e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077821730 5 bytes JMP 00000000779802d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077821750 5 bytes JMP 0000000077980310 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077821790 5 bytes JMP 00000000779803c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778217e0 5 bytes JMP 00000000779803f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077821940 5 bytes JMP 0000000077980230 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077821b00 5 bytes JMP 0000000077980480 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077821b30 5 bytes JMP 00000000779803a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077821c10 5 bytes JMP 00000000779802f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077821c20 5 bytes JMP 0000000077980350 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077821c80 5 bytes JMP 0000000077980290 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077821d10 5 bytes JMP 00000000779802b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077821d30 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077821d40 5 bytes JMP 0000000077980330 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077821db0 5 bytes JMP 0000000077980410 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077821de0 5 bytes JMP 0000000077980240 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778220a0 5 bytes JMP 00000000779801e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077822160 5 bytes JMP 0000000077980250 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077822190 5 bytes JMP 0000000077980490 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778221a0 5 bytes JMP 00000000779804a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778221d0 5 bytes JMP 0000000077980300 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778221e0 5 bytes JMP 0000000077980360 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077822240 5 bytes JMP 00000000779802a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077822290 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778222c0 5 bytes JMP 0000000077980380 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778222d0 5 bytes JMP 0000000077980340 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778225c0 5 bytes JMP 0000000077980440 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778227c0 5 bytes JMP 0000000077980260 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778227d0 5 bytes JMP 0000000077980270 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778227e0 5 bytes JMP 0000000077980400 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778229a0 5 bytes JMP 00000000779801f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778229b0 5 bytes JMP 0000000077980210 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077822a20 5 bytes JMP 0000000077980200 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077822a80 5 bytes JMP 0000000077980420 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077822a90 5 bytes JMP 0000000077980430 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077822aa0 5 bytes JMP 0000000077980220 .text C:\Windows\system32\wbem\wmiprvse.exe[3332] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077822b80 5 bytes JMP 0000000077980280 .text C:\Users\Piotr\Downloads\0yzgukkq.exe[1588] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007556a2ba 1 byte [62] ---- Services - GMER 2.1 ---- Service C:\Windows\system32\drivers\aswFsBlk.sys (*** hidden *** ) [AUTO] aswFsBlk <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswMonFlt.sys (*** hidden *** ) [AUTO] aswMonFlt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRdr2.sys (*** hidden *** ) [SYSTEM] aswRdr <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRvrt.sys (*** hidden *** ) [BOOT] aswRvrt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSnx.sys (*** hidden *** ) [SYSTEM] aswSnx <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSP.sys (*** hidden *** ) [SYSTEM] aswSP <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswTdi.sys (*** hidden *** ) [SYSTEM] aswTdi <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswVmm.sys (*** hidden *** ) [BOOT] aswVmm <-- ROOTKIT !!! Service C:\Program Files\AVAST Software\Avast\AvastSvc.exe (*** hidden *** ) [AUTO] avast! Antivirus <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description Avast! Mini-filter Driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ImagePath \??\C:\Windows\system32\drivers\aswFsBlk.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \??\C:\Windows\system32\drivers\aswRdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 7 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 48950 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1383310383 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1383310383@ Commited Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1383310383@BootTimeout 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1383310383@TickTimeout 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1383310383@CreationTime 0x7D 0x27 0x8C 0x4D ... Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1383310383@SetupOperations MoveFile("\??\c:\program files\avast software\avast\ashwebsv.dll.1383310383","\??\c:\program files\avast software\avast\ashwebsv.dll",TRUE)?MoveFile("\??\c:\program files\avast software\avast\ashwebsv.dll.sum.1383310383","\??\c:\program files\avast software\avast\ashwebsv.dll.sum",TRUE)?MoveFile("\??\c:\program files\avast software\avast\avastui.exe.1383310383","\??\c:\program files\avast software\avast\avastui.exe",TRUE)?MoveFile("\??\c:\program files\avast software\avast\avastui.exe.sum.1383310383","\??\c:\program files\avast software\avast\avastui.exe.sum",TRUE)? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1383310383@StartBootCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1383310383@StartTickCounter 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ImagePath \??\C:\Windows\system32\drivers\aswSnx.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ImagePath \??\C:\Windows\system32\drivers\aswSP.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \??\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \??\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ImagePath \??\C:\Windows\system32\drivers\aswTdi.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 288 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje os?ony dzia?aj?ce w czasie rzeczywistym, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description Avast! Mini-filter Driver Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ImagePath \??\C:\Windows\system32\drivers\aswFsBlk.sys Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \??\C:\Windows\system32\drivers\aswRdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 7 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 48950 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1383310383 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1383310383@ Commited Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1383310383@BootTimeout 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1383310383@TickTimeout 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1383310383@CreationTime 0x7D 0x27 0x8C 0x4D ... Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1383310383@SetupOperations MoveFile("\??\c:\program files\avast software\avast\ashwebsv.dll.1383310383","\??\c:\program files\avast software\avast\ashwebsv.dll",TRUE)?MoveFile("\??\c:\program files\avast software\avast\ashwebsv.dll.sum.1383310383","\??\c:\program files\avast software\avast\ashwebsv.dll.sum",TRUE)?MoveFile("\??\c:\program files\avast software\avast\avastui.exe.1383310383","\??\c:\program files\avast software\avast\avastui.exe",TRUE)?MoveFile("\??\c:\program files\avast software\avast\avastui.exe.sum.1383310383","\??\c:\program files\avast software\avast\avastui.exe.sum",TRUE)? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1383310383@StartBootCounter 2 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1383310383@StartTickCounter 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ImagePath \??\C:\Windows\system32\drivers\aswSnx.sys Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ImagePath \??\C:\Windows\system32\drivers\aswSP.sys Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \??\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \??\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName aswTdi Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description aswTdi Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ImagePath \??\C:\Windows\system32\drivers\aswTdi.sys Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 288 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje os?ony dzia?aj?ce w czasie rzeczywistym, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus\Parameters (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----