GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-04 03:33:26 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000065 ST350041 rev.JC4B 465,76GB Running: worozy3z.exe; Driver: C:\Users\ja\AppData\Local\Temp\uglcyaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000149be0460 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000149be0450 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000149be0370 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000149be0470 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 0000000149be03e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000149be0320 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 0000000149be03b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000149be0390 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 0000000149be02e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 0000000149be02d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000149be0310 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 0000000149be03c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 0000000149be03f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000149be0230 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0xffffffffd243e890} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000149be0480 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 0000000149be03a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 0000000149be02f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000149be0350 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000149be0290 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 0000000149be02b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 0000000149be03d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000149be0330 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0xffffffffd243e590} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000149be0410 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000149be0240 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 0000000149be01e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000149be0250 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0xffffffffd243e090} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000149be0490 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 0000000149be04a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000149be0300 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000149be0360 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 0000000149be02a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 0000000149be02c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000149be0380 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000149be0340 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000149be0440 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000149be0260 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000149be0270 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000149be0400 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 0000000149be01f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000149be0210 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000149be0200 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000149be0420 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000149be0430 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000149be0220 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000149be0280 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\wininit.exe[520] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000149be0460 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000149be0450 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000149be0370 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000149be0470 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 0000000149be03e0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000149be0320 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 0000000149be03b0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000149be0390 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 0000000149be02e0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 0000000149be02d0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000149be0310 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 0000000149be03c0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 0000000149be03f0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000149be0230 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0xffffffffd243e890} .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000149be0480 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 0000000149be03a0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 0000000149be02f0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000149be0350 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000149be0290 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 0000000149be02b0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 0000000149be03d0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000149be0330 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0xffffffffd243e590} .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000149be0410 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000149be0240 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 0000000149be01e0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000149be0250 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0xffffffffd243e090} .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000149be0490 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 0000000149be04a0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000149be0300 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000149be0360 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 0000000149be02a0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 0000000149be02c0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000149be0380 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000149be0340 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000149be0440 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000149be0260 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000149be0270 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000149be0400 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 0000000149be01f0 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000149be0210 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000149be0200 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000149be0420 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000149be0430 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000149be0220 .text C:\Windows\system32\csrss.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000149be0280 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\services.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\lsm.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\svchost.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\nvvsvc.exe[836] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[860] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000750aa2ea 1 byte [62] .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\System32\svchost.exe[324] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0xffffffff888ce890} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0xffffffff888ce590} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0xffffffff888ce090} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\AUDIODG.EXE[920] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0xffffffff888ce890} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0xffffffff888ce590} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0xffffffff888ce090} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0xffffffff888ce890} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0xffffffff888ce590} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0xffffffff888ce090} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1136] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1268] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\nvvsvc.exe[1276] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\Dwm.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\Explorer.EXE[1616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\Explorer.EXE[1616] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\taskhost.exe[1676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000100070460 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000100070450 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000100070370 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0xffffffff888ce890} .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000100070480 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0xffffffff888ce590} .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000100070410 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0xffffffff888ce090} .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000100070380 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000100070440 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000100070400 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\spoolsv.exe[1732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\svchost.exe[2004] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1424] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000750aa2ea 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[1464] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000750aa2ea 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2160] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2284] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000750aa2ea 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2284] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000074db1a22 2 bytes [DB, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2284] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000074db1ad0 2 bytes [DB, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2284] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000074db1b08 2 bytes [DB, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2284] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000074db1bba 2 bytes [DB, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2284] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000074db1bda 2 bytes [DB, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2284] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000000021465 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[2284] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000000214bb 2 bytes [02, 00] .text ... * 2 .text C:\Windows\system32\svchost.exe[2312] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\svchost.exe[2332] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0xffffffff888ce890} .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0xffffffff888ce590} .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0xffffffff888ce090} .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[2544] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\rundll32.exe[2644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3056] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[1640] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000750aa2ea 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2268] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000750aa2ea 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3156] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000750aa2ea 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3172] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000750aa2ea 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3524] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Windows\system32\conhost.exe[3532] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Windows\System32\svchost.exe[3948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777a13c0 5 bytes JMP 0000000077900460 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777a1410 5 bytes JMP 0000000077900450 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000777a1570 5 bytes JMP 0000000077900370 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777a15c0 5 bytes JMP 0000000077900470 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777a15d0 5 bytes JMP 00000000779003e0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777a1680 5 bytes JMP 0000000077900320 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777a16b0 5 bytes JMP 00000000779003b0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000777a16d0 5 bytes JMP 0000000077900390 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777a1710 5 bytes JMP 00000000779002e0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777a1790 5 bytes JMP 00000000779002d0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777a17b0 5 bytes JMP 0000000077900310 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777a17f0 5 bytes JMP 00000000779003c0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000777a1840 5 bytes JMP 00000000779003f0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777a19a0 1 byte JMP 0000000077900230 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777a19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777a1b60 5 bytes JMP 0000000077900480 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000777a1b90 5 bytes JMP 00000000779003a0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777a1c70 5 bytes JMP 00000000779002f0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777a1c80 5 bytes JMP 0000000077900350 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777a1ce0 5 bytes JMP 0000000077900290 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777a1d70 5 bytes JMP 00000000779002b0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777a1d90 5 bytes JMP 00000000779003d0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777a1da0 1 byte JMP 0000000077900330 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777a1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000777a1e10 5 bytes JMP 0000000077900410 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777a1e40 5 bytes JMP 0000000077900240 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777a2100 5 bytes JMP 00000000779001e0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777a21c0 1 byte JMP 0000000077900250 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777a21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777a21f0 5 bytes JMP 0000000077900490 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777a2200 5 bytes JMP 00000000779004a0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777a2230 5 bytes JMP 0000000077900300 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777a2240 5 bytes JMP 0000000077900360 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777a22a0 5 bytes JMP 00000000779002a0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777a22f0 5 bytes JMP 00000000779002c0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000777a2320 5 bytes JMP 0000000077900380 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777a2330 5 bytes JMP 0000000077900340 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000777a2620 5 bytes JMP 0000000077900440 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777a2820 5 bytes JMP 0000000077900260 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777a2830 5 bytes JMP 0000000077900270 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777a2840 5 bytes JMP 0000000077900400 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777a2a00 5 bytes JMP 00000000779001f0 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777a2a10 5 bytes JMP 0000000077900210 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777a2a80 5 bytes JMP 0000000077900200 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000777a2ae0 5 bytes JMP 0000000077900420 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000777a2af0 5 bytes JMP 0000000077900430 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777a2b00 5 bytes JMP 0000000077900220 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777a2be0 5 bytes JMP 0000000077900280 .text C:\Program Files\CCleaner\CCleaner64.exe[3928] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007768ee7d 1 byte [62] .text C:\Users\ja\Downloads\worozy3z.exe[632] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000750aa2ea 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [3948:3760] 000007fef3b19688 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1616] (GG drive overlay/GG Network S.A.)(2013-07-05 15:57:58) 000000005c080000 ---- Services - GMER 2.1 ---- Service C:\Program Files\AVAST Software\Avast\AvastSvc.exe (*** hidden *** ) [AUTO] avast! Antivirus <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description Avast! Mini-filter Driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ImagePath \??\C:\Windows\system32\drivers\aswFsBlk.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \??\C:\Windows\system32\drivers\aswRdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 93 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 3730703 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1387281926 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1387281926@ Commited Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1387281926@BootTimeout 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1387281926@TickTimeout 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1387281926@CreationTime 0x70 0x80 0x05 0x46 ... Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1387281926@SetupOperations MoveFile("\??\c:\program files\avast software\avast\setup\instup.dll.1387281926","\??\c:\program files\avast software\avast\setup\instup.dll",TRUE)?MoveFile("\??\c:\program files\avast software\avast\setup\instup.dll.sum.1387281926","\??\c:\program files\avast software\avast\setup\instup.dll.sum",TRUE)? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1387281926@StartBootCounter 8 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\1387281926@StartTickCounter 240979 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ImagePath \??\C:\Windows\system32\drivers\aswSnx.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ImagePath \??\C:\Windows\system32\drivers\aswSP.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \??\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \??\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ImagePath \??\C:\Windows\system32\drivers\aswTdi.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 288 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje os?ony dzia?aj?ce w czasie rzeczywistym, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158315a310 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description Avast! Mini-filter Driver Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ImagePath \??\C:\Windows\system32\drivers\aswFsBlk.sys Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \??\C:\Windows\system32\drivers\aswRdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 93 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 3730703 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387281926 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387281926@ Commited Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387281926@BootTimeout 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387281926@TickTimeout 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387281926@CreationTime 0x70 0x80 0x05 0x46 ... Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387281926@SetupOperations MoveFile("\??\c:\program files\avast software\avast\setup\instup.dll.1387281926","\??\c:\program files\avast software\avast\setup\instup.dll",TRUE)?MoveFile("\??\c:\program files\avast software\avast\setup\instup.dll.sum.1387281926","\??\c:\program files\avast software\avast\setup\instup.dll.sum",TRUE)? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387281926@StartBootCounter 8 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\1387281926@StartTickCounter 240979 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ImagePath \??\C:\Windows\system32\drivers\aswSnx.sys Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ImagePath \??\C:\Windows\system32\drivers\aswSP.sys Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \??\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \??\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName aswTdi Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description aswTdi Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ImagePath \??\C:\Windows\system32\drivers\aswTdi.sys Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 288 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje os?ony dzia?aj?ce w czasie rzeczywistym, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158315a310 (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3} 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3}\C 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3}\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData\Roaming 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData\Roaming\.minecraft 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a3-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData\Roaming\.minecraft\lastlogin 16 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3} 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3}\C 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3}\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData\Roaming 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData\Roaming\.minecraft 0 bytes File C:\avast! sandbox\S-1-5-21-104546968-3883456803-114699705-1000\r96\MinecraftSP.ex_{7f2f87a9-b625-11e1-8242-1c6f65bb43c3}\C\Users\ja\AppData\Roaming\.minecraft\lastlogin 16 bytes ---- EOF - GMER 2.1 ----